With Microsoft's Modern authentication in Exchange Online, Two Factor Authentication (2FA) are enabled when staff user sign-in to access their email using the following supported email apps:

Apart from the above email apps, other email apps does not support modern authentication can no longer access to Exchange Online after disable unsecure access to Exchange Online starting from Q1/Q2 2020 (i.e. Basic Authentication for EWS, EAS, IMAP, POP and RPS to access Exchange Online will be retired).

After disabling unsecure access to Exchange Online, your mailbox is fully protected against the risk of password leakage. When setting up a new email app, you will just need to approve the sign-in request with 2FA (using your mobile device, etc.), for one time only, per application per device (e.g. perform 2FA for both Mail for iOS and Outlook for iOS if they need to set up on the same mobile). You may also reset your password after your account has been disabled with unsecure access to Exchange Online. After your password has been changed, please refer to the webpage Reminders after Password Change if necessary.