1. MFA only when users access Azure Admin Portal 2. MFA only when users access Office 365 Admin Portal 3. Same must not go through MFA on other apps/services like outlook, teams etc.. 4. Also what can i do in the situation when MFA service is not available ? I prefer using CA conditional access for this as same admin whose is suppose to do MFA while logging on to anyone of these Admin Portals however in case MFA service has an issue or is not available for some reason,
how or what configuration i can keep in place before hand and do minimal to quickly avoid MFA prompt
No that doesnt work as shown i did a simple test configured a policy selected a users said require MFA for all cloud app but excluded 2 exchange online and teams and kept getting prompted for MFA on those two everytime
Can you try using the "What if" function on your conditional access policy, experiment with some different scenarios and report back? It may be that your policy is overlapping with some apps causing it to MFA where it shouldnt.