MFA - Create Non Admin role for AD Synch so that all addmins can be marked as needing MFA
MFA - It should be that you can specify that All admins need MFA, however when using AD synch this does not support MFA meaning you have to switch to select admins need MFA. This is a security risk as you then have a user with full admin and no MFA, the simple fix would be to create a role which has the rights to synch AD only no other rights. Then it can be switched to all admins need MFA to avoid the chances of new admins using MFA and an admin account used for AD synch not using MFA.
Cy Davis commented
I agree that a service account or an opt out would be better settings for the MFA for admins than is in place right now. I'd add that using IP 'Whitelisting' would actually give a second factor of where. This would mean that you could trust certain IPs to allow access via password as well. But something really needs to be done here as this really isn't good enough from a security partner.
Shane Burke commented
Another issue with this is that you cannot set MFA for all admin accounts. Instead you need to set to "Select admins who will need MFA. (All others sign in with password only.)" and add an extra step to the process of creating any admin accounts to add to this list or MFA is not enabled. This is another security risk as you are trusting admins to follow this step on every account creation where creating either this type of account or giving an option to provide MFA to all users but a list of users. I don't believe having this role for AD Sync an admin account is as big a risk as this. If you set the password to a secure randomly generated long alpha numeric password and never use the account the risk is very low.