Azure AD Security Defaults MFA not working (as expected?)

Kat-UK I'm jumping in here too because I have been fighting this myself.  I "thought" enabling security defaults would force all users to use MFA for all logins.  That appears to not be the case.  I help manage several small businesses that have Microsoft 365 Business Standard subscriptions.  Over the past few months the admins of those accounts have been notified they needed to turn on Security defaults to protect their users because 99.9% of all compromises could have been prevented with MFA or something like that wording.

They all have enabled security defaults and yes, the admins are all forced through MFA.  And yes, all users were forced to enroll in MFA.  But in reviewing the login logs (7 day report in Entra) not a single 'normal' user has been forced through the MFA authentication.  They all still get the single-authentication path.

Now none of them have the Premium or AAD P1 licenses so using conditional access isn't an option so I am assuming they are going to have to use per user MFA?  Seriously, the whole Security Defaults documentation/recommendation stuff is misleading at best and down right confusing in reality.

So I guess at this point the question comes down to "If a customer is only using MS365 Business Standard, to ensure all users must use MFA, is using per user MFA the option they should use?"

Dan