Force MFA when trying to use elevated rights
Force an MFA prompt when a user crosses into an administrative boundary. For example, a SharePoint admin might be able to use SharePoint and view pages as a standard user with a non-MFA login process until they access the Admin Console, then they get an MFA prompt to cross into the admin boundary. This is similar to what many online banking sites now do to where you can view your accounts, but when you cross into a high value transaction, you are then prompted to verify your account again with stronger credential checking.
Niklas Larsson commented
Excellent idea, shouldn't even be an idea but already in place. If I use Edge and have my work account linked to Windows 10 there is zero respect for our choice of MFA/2FA for our administrators of Office 365. At least require MFA/2FA when accessing the administration console of Office 365.