We got into a debate today regarding the value of implementing MFA or SSO for SaaS apps in a corporate environment. Half the group argued for MFA and half argued for SSO as the more secure option. The argument for SSO goes like this: We already have MFA enabled for Azure AD, so by default, if you sign into a SaaS app on a non-corporate device, you will be prompted to use whichever MFA option you have setup. If you sign into the SaaS app on a corporate computer, MFA exists as well (something you own: computer, something you know: computer password). And then obviously you get the added benefit of ensuring that only active users in AD have access at all. The real question is, does a corporate device (computer) act as the 2nd factor for MFA when using SSO in this context?