Now you can enable a certain service for Azure MFA.
In this example i enforce MFA for a security group with 3 users when they try to access Yammer only. Everything else is not enforced with MFA.
Prerequisites: Enterprise Mobility + Security (EMS) License assigned to the user.
Navigate to your domain and click applications
Use these settings
Note on these settings, I have 3 users in the CA Exchange Online Mobile group. Rest of my users are in the NO CA group and that group is set to Except. I do this to ensure that nothing is enforced globally to all users. The 3 users in the first group have not had Azure MFA Enabled or Enforced but is set to Disabled.
This is what the user will see now.
He will see the normal login but be required to enter a second factor. If he navigates to outlook og Onedrive there will be no such requirement.