when is MFA, not?
Is a (Microsoft, in this case) MFA solution which uses your smartphone really MFA? I mean, if that same smartphone is the email reading device, it seems like the opportunity for compromise and exploit is higher than it would be with a separate MFA token/device.
Technical reasons aside, I agree it's pretty reprehensible for companies to assume (or require) employees use their personal computer/phone/etc. for access to corporate resources. $COMPANY has explicitly told the employees not to use company kit for personal files, email, etc., wouldn't you think the reverse would be (should be!) equally true.