Sometimes pictures — or in this case, screenshots — really are better than words.
Recently, I needed to implement Azure AD multi-factor authentication for a client. MFA is built in to Azure, comes with an excellent iOS and Android app (Microsoft Authenticator) and is very easy and cost-effective to implement. In fact, the Azure multi-factor authentication is free for global administrators, which is the first place you should implement MFA. In short, there’s no reason not to use Azure Active Directory MFA.
Now for the pix: you can page through the images below by clicking on the thumbnail below. The first two screenshots show where to enable Azure MFA. Surprisingly, you do so in the old Azure portal. The remaining screenshots walk through a user activating Azure MFA on an iOS device using Microsoft Authenticator.
One note: if you are also an Office 365 user and have integrated your on-prem Active Directory for O365 authentication, users will need to use the MFA password — not their own — to log into Outlook and Skype. Those applications do not support Azure MFA. Log into to myapps.microsoft.com to obtain or reset this password if it wasn’t kept during initial setup.