@YeOldeStonecat Is correct, and this is why I have tickets open with Azure.
@putz Yes, again this is normal behavior IF YOU'RE USING O365 MFA, which has been normal for years. If you have that feature configured, and you enable Security Defaults, Azure will always pop for MFA on login.
The problem is O365 MFA IS GOING AWAY, with forced migrations starting in September. So if you got into your Azure portal, did a search for Authentication and opened up the recently separated Azure AD Authentication Methods applet, you'll see the migration details right there, and if you COMPLETE that migration, O365 MFA is NOW DISABLED and you're left with the true Security Defaults.
Which does NOT ENFORCE MFA on users, unless they muck with specific "risky" operations. Unless the user enrolls in phone signon, which I HIGHLY encourage anyway. So my tenants haven't really noticed, but there's no enforcement anywhere so it's very squishy.
And again I have tickets open with Microsoft on this, because they removed a feature to sell it back... it doesn't look good. And all they have to do to "fix" the problem is CHANGE Security Defaults such that it enforces MFA on all users all the time. If a tenant in those conditions wants to get around that, the only fix becomes Conditional Access, which is now an easy upsell based on need, instead of stupid on the part of Microsoft.
Also, Security Defaults won't require MFA to join a machine to Azure AD... unless you get into AAD's device blade and flip the switch... which is also baffling.
P.S.
@putz Look at your screen grab... read the 2nd bullet point until it sinks in.