@LibraryITGuy I found the Password Reset was "selected" to all users in our company, maybe it causes the MFA prompts even if it shows Disabled in the M365 admin portal. The security default is disabled.
Another issue is, if the user lost his mobile phone and need to reset MFA, where should I reset it ? Usually, I set it in the M365 MFA portal ->Manage user settings-> ticked all the three selections, and then save.
" Require selected users to provide contact methods again
Delete all existing app passwords generated by the selected users
Restore multi-factor authentication on all remembered devices "
But now I got the error:
"MFA methods can’t be removed for the currently signed-in user account. Please visit https://aka.ms/mysecurityinfo for self operations." The url redirects to my account profile->security info. I know that I can delete the MFAed device, while if I already lost my mobile phone, how can I login to my account to do that by myself?
