With all of the exploits in the news, it is time you consider enabling MFA on Administrative Interfaces.
The first item I would start with is administrative interfaces to cloud consoles. Cloud consoles are available anywhere in the world and can be easily hacked if someone happens to compromise an administrators password. Adding MFA will provide an additional layer of protection and make a system much more difficult to compromise. I also suggest enabling MFA on cloud consoles from all locations including trusted locations. Numerous breaches over the past year have come from internal networks and hackers are not stupid.
The second item I would secure is Firewall Administrative Interfaces. Firewalls are relatively easy to secure with MFA and are very important to secure with MFA. If a firewall admins password happens to get compromised, it takes another layer of security to access the firewall. If you have a load balancer/reverse proxy that faces the Internet, that is something I would also suggest securing with MFA.
The third item I would secure is your back-up system's and if possible Storage Area Network (SAN). I have hackers/attackers compromise a network and then gather intelligence. Part of that intelligence gathers is figuring out passwords to backup systems. Once they have the passwords, they then delete the backup jobs so you can't restore an infected systems. If you can lock your back jobs from being deleted, that is an important step, but I would also require MFA to access those appliances. It is all about putting another roadblock in the way to prevent a compromise.
The final item I would secure is remote desktop (RDP) access to servers. RDP is a very easy and effective method to manage windows servers. It is also one of the protocols that is very easy to compromise. If you are accessing servers from a VPN, I would advise you to consider requiring MFA. Since Covid-19, most people are working remotely and from untrusted networks. If you are like most, you have taken numerous measures to secure those remote systems. But, the fact remains those systems are sitting on untrusted networks and are a dream for attackers/hackers. It just takes one well written phishing email and a click on that email to have a compromised system. Requiring MFA when accessing a system using RDP is a good way to prevent a compromised account from having unfettered access to internal systems.
I would consider enabling MFA on as many administrative interfaces as possible. It is not always easy and you will be making it a bit more difficult to manage systems, but it will make your environment much more secure. It will prevent a compromised password from caused damage to your systems. With the rise in compromised Exchange Accounts from the most recent compromise and the advance phishing emails, it is just a matter of time before one of your accounts is compromised. You have been warned.....