After searching in the O365 portal, organization settings I have the answer.
1) In the Azure portal go to Active Directory
2) Choose properties
3) And there you have the 'Security Defaults'
This gives us out of the box the following features
a) Requiring all users and admins to register for MFA.
b) Challenging users with MFA - mostly when they show up on a new device or app, but more often for critical roles and tasks.
c) Disabling authentication from legacy authentication clients, which can’t do MFA.