To secure Windows logon with Azure AD user accounts, you first need to set up MFA for Office 365 with WS-Federation.
In addition, the Office 365 application set up in your DualShield server must have 2 logon procedures, one for Web SSO and the other for ECP
The logon procedure for ECP must have one logon step with "Static Password" as its authentication method
Troubleshooting Reference:
Troubleshoot hybrid Azure AD-joined devices