Microsoft1) Is this new mechanism going to be applicable per-group or per-user, rather than all-or-nothing for the whole tenant? (like AAD Security Defaults does) At the moment we are using a CA custom control + CA policies to enforce Duo for most of our users, and this is done by scoping the CA policies to security groups. However, we have some accounts that are getting Azure MFA, or no MFA and very strict login restrictions, enforced by other CA policies. (Service accounts, admin accounts, etc)
If this new mechanism is not equally as granular as requiring a custom control in a CA policy is, then we're about to be in a world of hurt, because it sounds like the ultimate plan is for custom controls to go away period.
2) At the moment, when using CA custom controls/policies to enforce Duo, we see that certain things that require MFA (namely, Windows Hello for Business) do not work. Seems that it's because it only supports Azure MFA or AD FS + 3rd party MFA. Anything like setting a sign-in PIN on a HAADJ device won't work because it asks for an Azure MFA code that users simply don't have.
Is this one of the scenarios that the new mechanism will now allow to work?
