Currently, user authentication to Azure AD with MFA is only required when subscribing to a feed.
It would be great if we could optionally flag host pools or specific remote applications with a requirement for user reauthentication against AAD, because this would allow to require MFA again and also cover the case of federated custom domains where AD FS + whatever custom authentication/on-premises Microsoft MFA Server/3rd party MFA providers handle authentication. This would allow for stricter security. Instead of a flag/option on the e.g. a desktop app group, this could also be represented in the form of policies.