MFA - Create Non Admin role for AD Synch so that all addmins can be marked as needing MFA
MFA - It should be that you can specify that All admins need MFA, however when using AD synch this does not support MFA meaning you have to switch to select admins need MFA. This is a security risk as you then have a user with full admin and no MFA, the simple fix would be to create a role which has the rights to synch AD only no other rights. Then it can be switched to all admins need MFA to avoid the chances of new admins using MFA and an admin account used for AD synch not using MFA.
Shane Burke commented
Another issue with this is that you cannot set MFA for all admin accounts. Instead you need to set to "Select admins who will need MFA. (All others sign in with password only.)" and add an extra step to the process of creating any admin accounts to add to this list or MFA is not enabled. This is another security risk as you are trusting admins to follow this step on every account creation where creating either this type of account or giving an option to provide MFA to all users but a list of users. I don't believe having this role for AD Sync an admin account is as big a risk as this. If you set the password to a secure randomly generated long alpha numeric password and never use the account the risk is very low.