In order for you to meet the MFA requirements of your Insurance Company you can't just enable MFA in Microsoft or Google.
You need to identify system users, you need to what processes access your system, and what devices connect to your system.
Like all things cyber this begins with Good Governance.
You should have an identification and authentication policy. You should have an HR guide that lists the procedures used to add or remove users from your company. Your employee handbook should cover the password policy, and your training needs to cover MFA.