Put All MFA Settings in the Same Place
Every control that can toggle MFA on or off should be accessible from the same place. As it is today, an admin can go to Azure Active Directory > Users > Multi-factor auth to enforce or disable MFA for routine sign-ins. But if the admin wants to enforce or disable MFA on mobile device registrations, the admin has to go to a completely different place, Azure Active Directory > Devices > Device Settings.
This was a confusing experience for me, an admin who needed to turn off all MFA prompts. Admins won't necessarily understand the distinction between device registration MFA and MFA for other sign-ins. A better experience would be for all MFA controls to be located in the same place. And an even better experience would be for all MFA controls to be located wherever an admin might look for them.