The following are the three different options for enabling MFA for your users, data, and applications:

• Using a Conditional Access policy: You can use Conditional Access policies to enable MFA. This can be enabled at the user or application level. You can also enable MFA for security groups or for all external users using a Conditional Access policy. This is available for premium Azure AD licenses.
• At the user level: This option is covered in more detail in the next section of this chapter. This is the traditional method for enabling MFA. With this method, the user needs to perform MFA every time they sign in. It will override Conditional Access policies when these are set.
• Using Azure AD Identity Protection: With this option, you will create an Azure AD Identity Protection risk policy based on the sign-in risk for all of your cloud applications. This will also override Conditional Access policies, if they've been created. This option requires an Azure AD P2 license.