Some of this is expectations and how you train your users I think.
I know at least in my experience, running a Windows machine I can get random prompts to sign-in at random times from Outlook, Team, Visual Studio for Azure resources, from powershell scripts with zero context as to what they are for.
Some of them will prompt for login, as I have multiple AAD account, others will just pick one AAD account and skip the password as things are cached.
I'm then getting seemingly phantom login prompts and phantom authenticator requests by design. I'm denying them when I'm not certain what they are, and for secure environments I'm using a yubikey - but that's not what I expect most people to do faced with this.
I know at least in my experience, running a Windows machine I can get random prompts to sign-in at random times from Outlook, Team, Visual Studio for Azure resources, from powershell scripts with zero context as to what they are for.
Some of them will prompt for login, as I have multiple AAD account, others will just pick one AAD account and skip the password as things are cached.
I'm then getting seemingly phantom login prompts and phantom authenticator requests by design. I'm denying them when I'm not certain what they are, and for secure environments I'm using a yubikey - but that's not what I expect most people to do faced with this.