You are implementing multi-factor authentication in your organization. Some users are complaining about the complexity. What should you do to balance security and usability?

Correct answer: Implement risk-based conditional access that requires MFA only when necessary based on user risk profiles

Option A is correct because risk-based Conditional Access in Azure AD evaluates signals such as user location, device compliance, and sign-in risk score to challenge users with MFA only when risk is elevated, reducing friction for low-risk users while maintaining strong security for suspicious sessions. Option B is incorrect because shortening token expiration forces more frequent re-authentication for all users regardless of risk, which increases friction without intelligently targeting high-risk scenarios. Option C is incorrect because storing MFA codes in email is a severe security anti-pattern, since email accounts can be compromised, undermining the entire purpose of multi-factor authentication. Option D is incorrect because removing MFA entirely eliminates a critical authentication control and leaves the organization highly vulnerable to credential-based attacks.