enforce MFA - base level security policy
Can't agree more strongly.
At a previous company a user's corporate O365 account was compromised through the re-use of a password from the individual's private 'standard' list of passwords used for many purposes - one of these was hacked.
I asked the IT manager why MFA was not mandated - particularly as it is a free standard feature. There was no satisfactory response. It was fixed and there hasn't been a breach since.