Service principals as exception for MFA/end user protection requirements
As I understand it: Excluding accounts will not be in compliance with the Partner Security Requirements. They have to be 'Included' in a policy that has the MFA control enabled.
I hope that we can exclude certain Apps though
@MartinJ - app only authentication is not impacted by the partner security requirements. So, they only used a client identifier and secret key to request an access token then they can safely enable the baseline policies. @assofohdz is correct that they will not be able to exlcude users. If they have a policy that does this today, then they need to look into modifying it to comply with the requirements.