Documentation says MFA for users is for free
I saw this "When these policies are enabled, each user will be able to utilize Azure MFA at no additional cost." sentense in this help page. I just confirmed it is working with one of our Sandbox's user and "End user protection" enabled but wanted to explicitly ask if that is OK to be applied on production too.
Yes, you can apply this to both your integration sandbox and your actual reseller tenant. Please note before you do this it is important to verify that any automation or integration you have has been updated to follow the Secure Application Model framework gudiance. This will ensure you do not encounter an issue when the policies are enabled.
@LukeMarlin, That is correct. The Free MFA through the policy only includes the Authenticator app since Microsoft considers that to be the most secure option. I've found that if I enable MFA at the user level using a licensed option, I still have access to SMS after applying the policy. But that may change in the future.