Microsoft makes a strong case that all Azure Active Directory accounts should be protected with multi-factor authentication (MFA). That’s a great aspiration, but the immediate priority is to check accounts holding admin roles. This post explains how to use a PowerShell script to find and report those accounts.
https://office365itpros.com/2019/07/15/finding-azure-active-directory-not-protected-with-mfa/