This information explains some reasons MFA may be triggered on your account.
We are using Risky Sign-ins as the trigger for MFA.
What are Risky Sign-in's?
Microsoft collects our sign in data and runs algorithms against it to determine normal and abnormal behavior. That, "abnormal behavior" is what triggers a Risky Sign-in.
Risk Event Type
|Sign-ins from anonymous IP addresses||Medium||You're using Tor browser, anonymous nodes/VPN's. This would be triggered as an anonymous IP address.|
|Impossible travel to atypical locations||Medium||You're in Colorado Springs at 2:20pm and Mumbai at 2:22pm. This is would be triggered as impossible travel.|
|Sign-ins from unfamiliar locations||Medium||You're always in Colorado Springs, now you're in England? This would be triggered as an unfamiliar location.|
|Sign-ins from infected devices||Low||Your credentials were used on a network that is hosting malware. This would be triggered as an infected device.|
|Sign-ins from IP addresses with suspicious activity||Medium||Microsoft has seen this IP doing shady stuff and now you are signing in with that IP address. This would be triggered as suspicious activity.|