The below steps will guide you through how to setup an Azure AD Multi Factor Authentication Policy to ensure your users are kept safe from phishing attacks. If you wish to exclude a location from this policy see how here.
Login to Azure AD as a global administrator
Click Security down the left hand side panel
Click + New policy
Enter a name for your new MFA Policy
Under Assignment select users and groups and specify the Security group or users to apply the policy to. Or select All users.
Click Access Controls
Select Grant access and tick Require multi-factor authentication
Chose to either leave the policy in report mode only for previewing the “What If” the policy was enabled or go ahead and enable the policy and click Create.
The next time user login to 365 they will be prompted to enter more information in the form of a mobile number or an enrolment into the Microsoft Authentication App.