Enabling two-factor authentication should be the standard and perhaps it should be enforced as the minimum requirements for authentication for any cloud service. Password are not safe, and users keeps making the same mistakes protection and securing their password.
I highly recommend that you require two-step verification for all of your users. This includes administrators and others in your organization who can have a significant impact if their account is compromised.
There are multiple options for requiring two-step verification. The best option for you depends on your goals, the Azure AD edition you’re running, and your licensing program. There are numerous options in Azure AD. From using the build-in option included in the regular subscription, to using Azure Multi-factor authentication server for on-premise services or using a third part solution such as DOU, VIPAccess, Okta, or RSAID with Federation.