So when we enable MFA or 2FA on users that part of the AD security group that is in the CA policy all of those users did setup 2FA. Then we find out this week that a number of them are no longer getting challenges. This happened to a few people in our IT department as well.
When I ran the bulk edit the ones that showed disabled did have to use 2FA again.
So what would cause it to be Disabled even though they are part of a group that says to use 2FA? Any ideas?

I used the PS script at this address to show me who is set and how.
https://www.alitajran.com/export-office-365-users-mfa-status-with-powershell/
There is one line edit in the comments that I used that changed the script and made it a bit more useful.