In the AAD Rego, usage of the ruleset names PhishingResistantMFA, PhishingResistantMFAPolicies, HasAcceptableMFA and AlternativeMFA makes the AAD Rego code difficult to understand because I'm not sure that their names accurately reflect their purpose. Some of these rulesets are referenced across multiple policies.
Implementation notes
[ ] Rename these policies to make it more obvious what each one is being used for.
[ ] Check if there is any redundant logic between the rulesets that can be consolidated.
💡 Summary
In the AAD Rego, usage of the ruleset names PhishingResistantMFA, PhishingResistantMFAPolicies, HasAcceptableMFA and AlternativeMFA makes the AAD Rego code difficult to understand because I'm not sure that their names accurately reflect their purpose. Some of these rulesets are referenced across multiple policies.
Implementation notes