To secure Windows logon with Azure AD user accounts, you first need to set up MFA for Office 365 with WS-Federation.
In addition, the Office 365 application set up in your DualShield server must have 2 logon procedures, one for Web SSO and the other for Enhanced Client (ECP)
The logon procedure for Enhanced Client must have one logon step with "Static Password" as its authentication method
Troubleshooting Reference:
Troubleshoot hybrid Azure AD-joined devices