I have seen a number of MFA deployments in the last 6 months where they are targeting specific cloud apps, such as SharePoint, Exchange Online etc. And this is absolutely fine for certain clients. They also have included the Azure Management Portal in their list of cloud apps.
But they then wonder why users are able to get to Azure AD without being prompted for MFA when connecting via PowerShell.
If we then look in the Azure AD signin logs for that user we can see that they authenticated against Azure AD Powershell with no requirement for MFA
The reason for this is because of how Azure AD APIs work.
The correct approach here would be to deploy your MFA policy for “All Cloud Apps” and then if you need to, you should add Apps that dont require MFA into the Excluded tab.
What will happen then is that when a user tries to connect to Azure AD via PowerShell they will get prompted for MFA
We can see this in the resulting Azure AD signin logs for that user
There are other things you can do to protect Azure AD as well, such as blocking non-admin users from even accessing the Azure AD web portal or Azure AD Powershell. I will explain these in another post