Office 365 was the first Microsoft product to be launched that uses a cloud-based subscription. It is cloud-based, so it offers more than other products. Anyone who chooses to migrate to Office 365 to the cloud requires a lot knowledge about the deployment, migration and other technical aspects.
You can find a lot of information on www.office.com/setup blog. These blog posts provide all the most recent news and updates in a concise manner, so you can gain all the pertinent knowledge.
There are two ways to start
Microsoft has done a lot of work to improve multi-factor authentication's resilience and capability.
You can enable it manually for each account. This is a mistake. Although it is simple conceptually, it is too easy to forget accounts. It will also require too much maintenance as users move on. This is a poor suggestion and I will not officially consider it a way to start.
Second, if you are using Microsoft 365 Business E3, E5, MFA is either on for everyone or disabled for everyone. This is a way to get started. However, it may not be what you wanted.
Microsoft's "Security Defaults", a feature Microsoft introduced in 2019, is the best way to start. Good news if your tenant was created after that date. In this case, you don't have to do anything. It's easy and simple to set it up if you don't have a tenant yet. Microsoft even states that security defaults can be used by organizations that want to improve their security posture, but don't know where or how to begin.
The other real way to get started is to visit www.office.com/setup. This is more complicated than security defaults.
Basics of conditional access
CA policies are simple in that every user or device who requests access to a resource within Microsoft 365 expects to receive an authentication token. The endpoint will require the client to authenticate if there is no token or the token has expired.
This means that the user will see a logon dialog. She will then enter her credentials. Office setup checks them and issues a token if they are valid. CA allows you to add conditions or exceptions to this process. You can think of them as if-then laws. You could, for example, create a rule saying "require MFA if a user signs in to www.office.com/setup portal at a location that I don't trust" or "require MFA for users who log in to Teams from within our corporate network."