During my session at the Global Azure Boot Camp about Azure Active Directory, somebody for the audience asked me if you enable MFA by default for each user. Using the regular MFA portal (which is still outside the Azure portal), that was not possible.
After some digging and researching, there is a way to do this. However this will require a Azure AD Premium P2 license. Azure AD Premium has a service called Azure Active Directory Identity Protection. This service is very similar to Conditional Access but is completely focused on the Identity Protection part. For example, you can use this service to detect risky sign ins, users at risk, and so much more. At the same time you can use the service to create policy to create remediation for these vulnerabilities.
This is the service you can use to enable MFA by default. Azure AD Identity Protection is the service you need to look for in your Azure Portal. Go to Configuration > MFA registration. Create the right settings for your MFA configuration. If you want to exclude certain users from the MFA requirement, you can do that under Assignments > Users > Exclude. Enforce Policy and click Save
So time to test this policy. I created a new user on my local Active Directory and synchronized it to my Azure Active Directory. When the users logs in, he gets the following screen, confirming MFA is active.
Again you need Azure Active Directory Premium for this, but it does work.