Hi, I have done a fair bit of investigating into this but i have no clue why it keeps happening. every so often a random staff member contacts us because they are being prompted for MFA when trying to sign into office or outlook on particular PC's.

This wouldn't be a problem except these are users we haven't yet enabled for MFA (these are staff without corporate supplied phones and several chats need to have with both management and unions before we ask staff to use personal phones). 

Based on the information the 365-admin console and azure console, i could find the following:

-  Its noting a configuration change but no change has taken effect 

- the device they were logging into is showing up as an unusual location Victoria when we are in QLD due to a VPN, but out only location policies are Disallow anything outside of australia

- none of the conditional access policies are applied (which is the main way we are pushing MFA now)

- Some users where previously manually enabled for MFA using the older MFA authentication service however this user wasnt one of them and i verified and it says  MFA auth Status "disabled"

- MFA registration policy is disabled in Identity protection, sign in and risky user are handled by Conditional Access and should only apply to High risk

- To my knowledge (and i also checked with our infrastructure engineer who has been here a lot longer then me) their isn't a MFA server

I am running out of ideas why this happens to the users, all our MFA conditional access policies are applied to security groups as we are mid implementation, hes not a member of those groups. The only all staff conditional access policies currently are the high risk (which he isnt even showing with risky logins or as a risky user in the security console) and the location block, both of which are outright blocks anyways not MFA requirements. any assistance/further things to check would be really appreciated.