This work is started.
Just a quick update. This is still on the roadmap, but not work that has started. The comments here are useful as we start the design. Thanks
344 votes42 comments · Azure Active Directory » Multi-factor Authentication · Flag idea as inappropriate… · Admin →
The MFA team is currently working on adding get/set/read/delete abilities for StrongAuthentication data to the Graph API.
454 votes51 comments · Azure Active Directory » User Creation, Deletion, and Profile Management · Flag idea as inappropriate… · Admin →
618 votes36 comments · Azure Active Directory » Groups/Dynamic groups · Flag idea as inappropriate… · Admin →
Thank you for your feedback! The feature team is aware of this suggestion and will keep it under consideration. There are technical challenges to overcome in order to make this happen. Please keep the votes coming if this feature matters to you.
52 votesZach Edwards commented
As a workaround, disable the baseline policy and create a custom conditional access policy to enforce MFA. For Users/Groups, include the desired directory roles and exclude your AAD group.
In my opinion, baseline products serve as recommendations. Thus baseline policies should represent industry best practice to enforce MFA, especially on privileged identities.
This is a problem we’re aware of and working on how best to address this use case.
4 votesZach Edwards commented
This can be closed - AzureAD and AzureADPreview modules are both hosted on PowerShell Gallery and can be installed using the Install-Module cmdlet.