Hi @willd44, how are you protecting MS 365? The Duo integration you use will determine what’s possible. In general though, you’ll want to set your New User Policy to Require enrollment. This means any users who are not enrolled in Duo will see the inline self-enrollment setup process after entering their primary username and password. Anyone who is already enrolled in Duo will be prompted to complete two-factor authentication.
Inline self-enrollment is only an option for most web-based applications, so if it’s not available to you, you will have to do bulk self enrollment via email, which it sounds like you’re doing today. In that case, yes, you’d likely need to do an open enrollment period before enabling 2FA for everyone.
I recommend checking out our Duo Policy Guide and our free course Enrollment Methods & Strategies in Duo Level Up. Hope that helps!