Balancing Security Defaults with User Preferences for Authentication

You've basically got two options here unless you want to risk licensing compliance issues and go for a single P1 license, which I'd advise against. It seems to me that this really falls under a management issue since it impacts users' willingness to adopt the necessary security measures.

If you're looking for alternatives, there's been a recent announcement about external MFA options in Microsoft Entra ID that were just released. It might be a suitable workaround if upper management is still hesitant about paying for conditional access. Check out this link for more info on that: [link]. But be cautious; ensure it aligns with the company's overall strategy.

Another alternative could be using device-bound passkeys or Windows Hello. You can set this up through the recommended TAP (Technical Adoption Program), which should help reduce reliance on the Microsoft Authenticator app. Just make sure everyone is on board with this approach.

It's definitely a tough spot! Your IT Manager is correct about the need for Security Defaults, but if users resist using Microsoft Authenticator, that’s where it gets tricky. I think it's important for upper management to grasp why this is essential for security. Perhaps consider discussing alternatives like YubiKeys or Windows Hello for Business; those could appease the users while keeping security tight. Just ensure whatever solution you propose is still compliant with company policies.