Multi Factor Authentication
You should be able to allow for Azure AD joined machines to use multi-factor authentication for user accounts logging into an Azure AD joined domain using the authenticator app or using a code sent to the user's phone. This would be the same exact functionality you currently have for admins being required to use two factor authentication to join a machine to Azure AD but you would require it for all users who sign into their Azure AD joined machines. I was able to successfully implement this however, when I disabled my multifactor authentication, I was unable to get this functionality back. I am not sure if this was just a glitch that allowed me to get a code every single time I logged into my machine. Windows hello for business is not true two factor authentication. Hello for business is essentially as if you were using a local account on a machine.