This July, Azure teams will begin rolling out additional tenant-level security measures to require multi-factor authentication (MFA). Establishing this security baseline at the tenant level puts in p...
Updated May 17, 2024
Version 4.0Blog Post
On-premises accounts that hold Entra administrative roles are a really bad idea because they allow an attacker that compromises the on-premises environment a route into the cloud. This is especially true for accounts holding the global administrator role. Here's how to report if you do have accounts in that category https://office365itpros.com/2024/08/20/administrative-role-assignments/
But even if you have on-premises accounts with Entra roles, the question of MFA only arises if these accounts attempt to connect to the Azure sites/tools. If this happens, the accounts must be able to satisfy an MFA challenge. Synchronization doesn't come into the question. It's all about the connection.
As to Power Apps, why would accounts used to run workflows need to go anywhere near the Azure sites/tools? MFA is only required when accessing the Azure sites/tools.