Short version
Multi-Factor Authentication (MFA) in Office 365 is dependent on Modern Authentication which is oAuth 2.0 via ADAL that authenticates the user in Azure AD
Longer version with links to deep dives
- What is MFA?
- Multi-Factor Authentication (MFA) in Office 365 requires Modern Authentication (oAuth2.0 + ADAL) to be enabled for the clients and services that are going to use MFA
- MFA, Two-step verification, is a method of authentication that requires more than one verification method combined with the Azure Authenticator App, SMS or phone call verification
- Read more here
- What is Modern Authentication?
- Modern Authentication is oAuth 2.0 used via ADAL to enable newer applications (Outlook, Word, OneNote, Skype for Business and other Office applications) to authenticate to services such as Skype for Business, Exchange and SharePoint
- In Office 2013 march 2015 update and later Modern Authentication is supported and in Office 2016it is enabled by default and will use an in-application browser control to render the Azure AD sign-in experience
- Read more here
- What is oAuth?
- Open Authentication 2.0 (oAuth 2.0) is used as a component via ADAL as the web-based authorization flow between servers or clients and servers
- Read more here
- What is ADAL?
- Microsoft Azure Active Directory Authentication Library (ADAL) is a tool in the .NET framework that lets client applications authenticate users to Office 365 and Azure AD
- Read more here
- Two options are available for SSO with on-premises AD that requires Modern Authentication
- Pass Through Authentication (PTA)
- Works with Office 365 only
- Enabled on latest AADC with outbound connection only, no DMZ server
- Just set up several AADC and it is automatically loadbalanced resulting in low operational cost
- Does not store password in Azure AD, authenticates user in on-premises AD first and presents MFA after that if enabled
- In combination with password sync you are not dependent on AADC uptime
- Read more here and here
- ADFS 3.0
- Used for hybrid Skype for Business and Exchange environments
- Skype for Business server Hybrid supports Modern Authentication, but will do NTLM authentication to on-premises AD and give MFA pop-up when authenticating to Exchange Online, read more here
- I recommend Pointsharp MFA for on-premises and hybrid Skype for Business deployments
- Exchange Server hybrid requires MFA Server, read more here
- For best Azure MFA result an Online only deployment is recommended
- ADFS is best for larger organizations
- More complex and requires proxy servers in DMZ with public IP and Certificate
- Requires loadbalancer for high-availability
- Is required when doing MFA with Smart Card, 3rd party tokens and certificate based authentication
- Read more here
- You can now use Microsoft Intune to control MFA options and turn of MFA for certain subnets and conditions, read more here
- Read about conditional access, MFA with Intune Hybrid and SCCM
- Use Azure AD Premium with automated password roll-over for business social media profiles protected by a MFA enabled identity with centrally controlled delegation, read more here
msunified.net 
Great article. I however don’t believe modern authentication is enabled by default in Office 2013 march update, you need to enable it within registry: https://support.office.com/en-us/article/Enable-Modern-Authentication-for-Office-2013-on-Windows-devices-7dc1c01a-090f-4971-9677-f1b192d6c910?ui=en-US&rs=en-US&ad=US&fromAR=1
Thanks, glad you like it. Good call on Office 2013, have updated accordingly :)
Are you saying that in order to use MFA, you need SSO? Can we not use MFA with synchronized identity?
I am saying if you are using SSO, these are your options. “same sign in” works as well when you are just syncing identity. It will be like native Office 365 with MFA. But if you have on-premises workloads like Exchange, Skype for Business or Sharepoint, that will be an issue without SSO.
Thanks for the clarification