MFA required for Global Admin without Conditional Access or PIM enforcement

Hi,

I'm analyzing a break-glass account scenario in Microsoft Entra ID and would like to validate a behavior I'm observing.

The account:

Has Global Administrator role (permanent assignment)
Is excluded from all Conditional Access policies (fully validated)
Is excluded from Authentication Methods policies and MFA Registration Campaign (fully validated)
Has no per-user MFA enabled (disabled)
PIM is not enforcing MFA (role is permanently active, no activation required)
Security Defaults are disabled
SSPR is not enforcing MFA

All configurable sources that could require MFA have been reviewed and fully ruled out.

However, when signing into Microsoft Admin Portals (Entra/Azure), MFA is still required and cannot be skipped.

In Sign-in logs:

Conditional Access → Not Applied
Authentication Details show:
"MFA required in Azure AD"
"App requires multifactor authentication"

Additionally, there is a Microsoft-managed policy:
"Multifactor authentication for admins accessing Microsoft Admin Portals"
but it is in Report-only mode.

Question:
Is Microsoft Entra ID enforcing MFA automatically for privileged roles (like Global Administrator) in admin portals, even when no Conditional Access or PIM policy requires it?

And if so, is there any supported way to fully exclude a break-glass account from this behavior?

Thanks in advance.