The MFA data is actually not currently accurately represented in the ITDR management interface. If you manually apply MFA to individual identities, yes, it is accurate, but if you apply MFA via policy (for instance, create a group whereby any identity added to the group has MFA forced on it) the ITDR management interface currently utterly ignores that these identities are MFA-enabled. With larger clients management by policy is the only realistic approach. We hope to see ITDR catch up to this reality. Case and point: we have a client with 678 identities - totally impractical to manage MFA identity-by-identity, so we do so by policy. ITDR management says that 305 of them are not MFA-enabled, but the reality is that only 5 of them are not MFA-enabled. The filter simply does not see MFA-enabled identities that were MFA-enabled by policy.