[snip]
Why is the only MFA option in On-Prem AD out of the box "Smart Card" instead of the myriad of options we have available to us today?
(Because it's a major selling point to moving to AAD)
I'm going to be charitable here and say that it's because Smart Card is standardized and good security. It's better than a phishable TOTP, and don't get me started on SMS codes!
Smart Card is cheap, whether it's a real Smart Card on a lanyard, a Yubikey, or the TPM-protected virtual Smart Card on a laptop or desktop. The "Windows Hello for Business" stuff is really Smart Card in disguise, too.
Making AD users implement Smart Card rather than a less secure option is a net positive.
