Yes the EMS E3 license will suffice and is the recommended and most flexible option. E3 license includes the AAD P1 functionality. E3 license is a superset of AAD P1 and includes Intune so you can also do other sophisticated access control using device health/compliance.
This enables you to configure Azure AD conditional access rules and enforce MFA when accessing Exchange Online as Pierre mentions. You could optionally further secure the access to be limited to healthy/compliant devices only. Then you configure the approved
MFA verification methods to include the authenticator app based notifications (and any other methods as you see fit). When users access Exchange Online via AD FS, the MFA side is handled on Azure AD side. No need to install any MFA server on-premises.
Note you already have limited amount of MFA functionality as an O365 customer (without any AAD P1 or E3 licenses) . See the differences in functionality at
https://azure.microsoft.com/en-us/pricing/details/active-directory/ . So you *could* potentially enforce MFA on each user (see https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
) and configure the MFA methods as you see it. But this approach would force them to do MFA all the time to logon to Azure AD (Not just for Exchange Online). You and end users might consider this a sub optimal end user experience if they don't like
regular MFA prompts.
If you only have a need for MFA to access Exchange Online, you may be OK with the latter and the regular MFA prompts for end users. But as you likely see the benefits of moving more apps to integrate with Azure AD (e.g. other SaaS apps such as Workday, Salesforce,
ServiceNow etc) and want to secure that access via MFA and other conditional access features, you might prefer to use E3 licenses and conditional access route which offers granular configuration of where and when MFA occurs.
M@
