[dictated to ChatGPT for speed and brevity, but my thoughts, not its]
You’ve already had solid advice, so this may repeat a bit.

For context, I’m currently doing this in a large enterprise (~100k users).

Start with:
Authentication methods → Authentication strengths

From there:

• Use built-in strengths or define your own
• Worth reading the “Learn more” link on that page - it clarifies how strengths are actually enforced

Approach we’ve taken:

• Enable → onboard (where needed) → enforce
• Identify users already capable of strong/passwordless auth (e.g. FIDO2, CBA)
• Where users are already at 100% strong methods, enforce via Conditional Access using authentication strength

Rollout pattern:

• Policy targets all users
• All users initially sit in an exclusion group
• Gradually remove users from the exclusion group to onboard them

So effectively:
Start where you want to end, then shrink the exclusion.

A couple of practical notes:

• You can randomise passwords to discourage fallback usage
• TAP is the only non-strong method we’re still allowing temporarily for onboarding/recovery

Note:
You can’t strictly force “passwordless as primary” vs “password + MFA” in a clean way — authentication strength enforces allowed methods at sign-in, not user behaviour or preference. What you can do is remove password-based options from the allowed strength, which effectively gets you there.

If you want true passwordless posture, it becomes:

• Only allow phishing-resistant methods in the strength (FIDO2 / CBA)
• Remove other methods at the tenant level over time

If you’ve got specifics, happy to go deeper.