There are multiple places where you can mandate MFA. Below are the list and the advantages/disadvantages of each place.
- Conditional Access Policy
This method focuses on "access control". It forces MFA based on certain conditions when user is accessing resources. Naturally, this is fit for when you want to have higher level of assurance when certain resources are accessed - Identity Protection\MFA registration policy
This place is to force users to register MFA rather than define when to use - Sign-in risk policy
Force user to use MFA base on risk detected. What considered as "risky" is determiend by MS algorithm that is not disclosed. Factors include unusual logon behavior, unusual location etc. - Security Default
This is a heavy hand approach. "Security Default" enforces a bunch of best practices tenant-wide along with MFA requirement.
Places you define what factors you can offer to users for registration, and how each factor should behave
- Legacy
- AAD | Security | Multifactor authentication | additional cloud-based MFA settings
- AAD | Password Reset | SSPR Policy (if used, only for SSPR)
- New
- AAD | Security | Authentication policies (how each factor should behave )
Besides the above 4 approaches to require MFA, it can also be registered on per-user basis in AAD portal. To improve Authenticator registration rate among users, you can create a registration campaign under "Security | Authentication methods | Registration campaign"
Special notes about registering Authenticator App as a factor:
When doing a per-user registration, other form of factors (SMS, voice call) can be assigned to users in AAD portal, but Authenticator App can only be registered by user himself in "my account" portal