I have an Azure AD tenant, using an Azure AD Free license. The tenant has Security Defaults enabled and has been in that state from the initial creation of the tenant. All users in the tenant, other than the tenant creator, are Guests.
The invitees come from different sources. Some are from a separate AD tenant within the same subscription, others are from external Microsoft accounts that are outside of my control.
During the registration process, some users are prompted to configure MFA authentication methods; others are not.
There appears to be a connection between the source tenant of the invitee and whether the MFA prompts occur. Invitees from the AD tenant within the same subscription are prompted. The invitees from unknown sources are not.
Based on my reading of the documentation regarding MFA and Security Defaults, I believe everyone should be required to register MFA in some supported form within 14 days of the initial sign-in. My experience so far has not borne this out.
Is this a misunderstanding or Security Defaults, or a misconfiguration? How does one ensure that all users within an tenant use MFA within the Azure AD Free license?