I’m trying to protect M365 with Duo SSO. I have some email accounts in my tenant that are service accounts. I have ws-trust configured and only want users in the DuoUsers AD group I’ve created to enroll and use Duo for MFA. I have the policy checked that unenrolled users can bypass MFA. So my service account emails should still work and my users in the DuoUsers group should be prompted by a Duo push when they log into email, correct?