It is always easy to enable Multi-Factor Authentication (MFA) for Azure AD users. But the problem is when you enable MFA using Azure AD MFA portal, it also gets enabled for Office365 users. The reason is simply because Azure and Office365 both share the same Azure AD tenant and users. But how should we avoid it?
The solution below only works if you use Azure AD Premium (it should work with both P1 and P2 licensing plans but the best is to check it with Microsoft) because you need to use a feature called Conditional Access. With Conditional Access you create policies and enable/disable specific features/settings for specific users. In this case we can use Conditional Access to enable MFA only for our users who want to access Azure and not Office365.
So first you need to create a new Azure AD group with Assigned Group Membership:
Open Azure Active Directory -> Users and Groups -> All groups -> click New Group
Provide the details:
Now that you have a new group, you need to create a new Conditional Access Policy and include this group in the policy. Please take the steps below:
Now you need to perform the last step which is adding members to the group. If you have a small environment, you can achieve it simply by manually adding members to the group, or if you have many subscriptions on Azure you can script it. I have posted a blog entry here on how to achieve it via Azure Automation.