Modify the Access Policy to require two steps of authentication.
This can be done within the Defender Administration Console.
Navigate to the Policies OU and open the relevant policy.
Confirm the below settings:
Use: Active Directory password
Followed By: Token