Context

Identity attacks have increased by 300% in the last year.
Many IT guys use their standard AD account also as Azure AD administrator.
If your company is a MS Cloud Service Provider (CSP), by default it can delegate "general Admin" role on Customer tenant.

That means that:

1/ You will harden IT admins workstations with BitLocker and other policies and tools

2/ Your tenant will have to be MFA compliant, for your company and customers security

3/ If your daily account is also admin, think about creating a dedicated admin account with MFA, and remove all privileges from your daily account

Good news: MFA for admins do not require additional E3 or E5 license.

Activation

MFA for admins can simply be enforced now. Go to Azure Portal / Azure Active Directory / Enterprise applications / Conditional Access
When you detail policy "Baseline policy: Require MFA for admins", you see what we are talking about

Of course you can also set MFA for admins one by one here:
https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx
but that is not a global enforcement policy (hackers are always looking for weak points).

MFA user side

Once MFA for admins is enforced, it can be used with mobile confirmation, SMS confirmation.

For this example, we will use mobile application (it's easier using Internet for confirmation, rather than SMS or phone calls when you are in a datacenter)

For each admin user, from a PC, goto : https://aka.ms/mfasetup , or directly here: https://account.activedirectory.windowsazure.com/proofup.aspx?proofup=1 , authenticate
Select “ what's your preferred option? ” : Use verification code from app or token Check box “Authenticator app or Token” Press button “Set up Authenticator app”
You will see the beyond screen:
Switch to your mobile phone, and then, install the Microsoft Authenticator for Windows Phone, Android or iOS , or through your mobile store
On android, launch app "Play Store" Type "Microsoft Authenticator" Select app, then
Click on "..." button then "Add account" or "+" button
Select "Professional account"
Then, scan the previous QR code displayed on your PC The account will automatically be added on your phone
Switch back to your PC, click from the widows with QR Code
You should receive now a notification on your mobile
You will see your mobile displayed; In our case “S41” Click
"Et voilà"

MFA authentication

On your PC, logon to portal https://portal.azure.com/ or https://admin.microsoft.com/
Enter your account and password
You will see MFA screen coming on your PC
Switch to your mobile Authenticator Click on button   "Et voilà", you used MFA for privileged Azure AD accounts !!!