Some confusion about 2FA and M365

[Velvis]

I was trying to reset a user's 2FA from the Admin 365 Android app and it eventually it pops me out to a webpage here: (obviously it won't open for my specific account if you click it)

Sign in to your account

account.activedirectory.windowsazure.com

On that page all of my users are listed as having 2FA disabled.

Eventually I went to a computer (instead of my phone) and logged in to the admin panel and went to the identity admin panel and reset the 2FA from there.

But it got me wondering, why does one area say 2FA is disabled?

 

[Sky-Knight]

O365 Single User MFA is dying.
Azure MFA controls are the future.
The former works no matter what.
The latter requires Entra ID P1 (Included in Business Premium), to configure proper controls.
Security Defaults is also all Azure, and will enforce MFA enrollment for all users, enforce MFA use for Admins, only enforce user MFA use on "risk detection".

So... which MFA controls are working? Well... Azure admin portal -> Entra ID Authentication Methods, click the manage migration link. If the pop out says "in progress" congratulations... BOTH O365 Single User MFA AND Azure MFA enforcement mechanisms are in place, and both apply to each user login, AND not only are you users vastly more likely to get MFA problems, but you can't figure out WTF it's doing and why.

Really short version, there are two configuration stacks, one is dying, the other is the future. Which are you using? Azure? O365? Both?!?