Enable-MsolMfaForAdmins.ps1

# Import MSOL Module
Import-Module MSOnline

# Connect to the service
Connect-MsolService

# What's the AAD Sku? We'll assign this to admins 
$aadSku = (Get-MsolAccountSku | Where {$_.AccountSkuId -ilike "*:AAD_PREMIUM"})[0].AccountSkuId

# Define StrongAuthentication (MFA) requirements
$StrongAuthenticationRequirement = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$StrongAuthenticationRequirement.RelyingParty = "*"
$StrongAuthenticationRequirements = @($StrongAuthenticationRequirement)

# Create an array for all the admins
$admins = @()

# Recurse through each admin role and add the user to the list of admins. Exclude anything that's not a User
foreach ($role in (Get-MsolRole)) {
    $admins += Get-MsolRoleMember -RoleObjectId $role.ObjectId | Where {$_.RoleMemberType -eq "User"}
}

# For each of the admins, license them then turn on MFA
foreach ($admin in $admins) {
    $admin | where {$_.StrongAuthenticationRequirements.State -eq $null} | % { 
        # Set the user's usage location if it's not already set
        if (Get-MsolUser -UserPrincipalName $admin.emailaddress | Where {$_.UsageLocation -eq ""}) {
            Set-MsolUser -UserPrincipalName $admin.EmailAddress -UsageLocation "AU"
        }
        # Assign the user the AAD Sku
        Set-MsolUserLicense -UserPrincipalName $admin.EmailAddress -AddLicenses $aadSku
        # Assign the user the strong authentication requirements
        Set-MsolUser -UserPrincipalName $_.EmailAddress -StrongAuthenticationRequirements $StrongAuthenticationRequirements
}

This does not take into account AADSync service accounts, as they're returned by Get-MsolRoleMember, in addition to regular accounts.

Could probably change the Where clause to the following:
| Where-Object {($_.RoleMemberType -eq "User") -and (-not $_.DisplayName -eq "On-Premises Directory Synchronization Service Account")}

Which should exclude DirSync accounts (NB: untested).