Feedback on My Security Configuration Plan for Microsoft Entra P1

Hey everyone! I've been working on my security configuration for Microsoft Entra P1 and wanted to get some feedback. I often see questions about MFA setups and conditional access, and I think it'd be beneficial to share and review each other's approaches to ensure we're following best practices.

My primary aim is to develop Conditional Access Policies and Authentication Method configurations that meet or exceed industry standards. My target customers are small to medium-sized businesses without Active Directory, typically using Microsoft 365 Business Premium or Standard/Basics along with Entra P1. All users affected by the conditional access policies must have Entra P1 licensing, and I plan on using FIDO2 keys for security.

Here's a quick overview of what I have planned:
1. **Authentication Methods**: I plan to enable FIDO2 security keys, TAP, hardware tokens, and Microsoft Authenticator for everyone, while also allowing SMS and Email OTP mainly for self-service password resets.
2. **Authentication Strengths**: I'll create a policy that favors stronger methods like FIDO2 and TAP over SMS.
3. **Conditional Access Policies**: I'll set up named locations, block legacy authentication, enforce geo-restrictions, and create a policy for strong authentication for end-users while excluding admin roles and break-glass accounts.
4. **Extra Considerations**: Additionally, I'll implement self-service password reset methods while avoiding the use of SMS/Email OTP as a standalone method. Finally, branding enhancements for the user sign-on experience.

All policies are currently in report mode for testing. If you see any potential improvements or if you believe I'm overlooking any best practices, please let me know!