If you want to enroll for Azure MFA the users need to go through these steps. When you enforce or enable MFA the user will be prompted for MFA enrollment. This is best done in a browser.

First the user need to access any of our endpoint e.g. http://portal.office.com

input mfa method — Office 365 MFA input phone number

contact options — Office 365 mfa methods

sms — You will get a text message with a code to enter

Office 365 app password during enrollment — Use this app-password on your native iOS or Android device or old Outlook 2010 instead of your normal password.

Additional Office 365 MFA options — Press cancel if you feel done. or just navigate to the indended site. e.g. http://portal.office.com

Extended Office 365 MFA options — all your MFA options

Azure AD access panel for MFA — The user access panel

Here are all of the pictures in a Sway:
https://sway.com/2fNqmpbe5O17F5Ev

Now you can enable a certain service for Azure MFA.

In this example i enforce MFA for a security group with 3 users when they try to access Yammer only. Everything else is not enforced with MFA.

Prerequisites: Enterprise Mobility + Security (EMS) License assigned to the user.

Go to: http://manage.windowsazure.com

Navigate to your domain and click applications

Use these settings

Note on these settings, I have 3 users in the CA Exchange Online Mobile group. Rest of my users are in the NO CA group and that group is set to Except. I do this to ensure that nothing is enforced globally to all users. The 3 users in the first group have not had Azure MFA Enabled or Enforced but is set to Disabled.