Man - I have some catching up to do here ...
- Filip - re: mirrored whiteboard - I tested it and I think you're right. A darkened background, a bright pen color and 'just the right angle.' Plus, I have it on good authority that Stuart isn't left-handed.
- Stefan - re: issue of stolen devices - physical possession of a device by an attacker opens up alot of 'what ifs.' I don't claim to have the perfect answer but there are several options I could think of - for starters, I did a quick test and I locked out my device w/ 5-6 failed PIN attempts - that is the initial control. Further, one could issue a wipe/reset or reboot of the device via MDM/mgmt tool, use the portals/PowerShell to revoke/invalidate the tokens, disable/delete the device object in AAD, disable the user, and/or reset the user's password.
- ITEric and Kasper have similar comments - "we need a per-app option to always require MFA" - that requirement makes sense to me. I am not 'in the know' of plans for that but I did find a UserVoice item that seems to get at what you're needing (I see Kasper's prior comment there already) - take a look and vote it up (our PGs keep keen eyes on UserVoice): https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/33405382-option-to-enforce-authentication-every-time-you-ac
Microsoft