Branch policies already do exactly what you're saying. When a branch policy is in place, PRs are required.

Make sure your developers don't have the "Exempt From Policy Enforcement" permission.

I know this question is a bit older but here is some additional information...
Unfortunately I cannot add comments to the "best answer" so here is a new one, you may just treat it as a comment:

Branch policies already do exactly what you're saying. When a branch policy is in place, PRs are required.

100 % agree

Make sure your developers don't have the "Exempt From Policy Enforcement" permission.

100 % agree

Exempt From Policy Enforcement

Where should we look to see if developers have the "Exempt From Policy Enforcement" permission?

From docs.microsoft.com:

There are several permissions that allow users to bypass branch policy. In TFS 2015 through TFS 2018 Update 2, the Exempt from policy enforcement permission allows users with this permission to perform the following actions:

• When completing a pull request, opt-in to override policies and complete a pull request even if the current set of branch policies is not satisfied.
• Push directly to a branch even if that branch has branch policies set. Note that when a user with this permission makes a push that would override branch policy, the push automatically bypasses branch policy with no opt-in step or warning.

In Azure DevOps Services, the Exempt from policy enforcement permission is removed and its functionality divided into the following two new permissions:

• Bypass policies when completing pull requests
• Bypass policies when pushing

Users that previously had Exempt from policy enforcement enabled now have the two new permissions enabled instead.

You can find these options under:
organization / project / Settings / Repositories

Local Git

Presumably a user can do anything to their own local version of the master branch, but then Azure DevOps would deny the push to the remote? If/when that happens, what would the dev need to do to undo the mess they've gotten into on their local repo?

This is the case because the Branch policies in Azure DevOps are not let's call it "vanilla-git". It's a Microsoft specific extension which has nothing to do with your user's local git branches. Therefor a user can do to his local git repo whatever he wants to - DevOps just prevents some stuff "server-sided".

About the question how a dev can undo the mess:I recommend this SO question.

I do not have reputation points to comment in a answer, so I will post a new one here.

When you set your master branch policy to Require a minimum number of reviewers, the master branch automatically will be protected. You will not be able to push any commits. In order to make any changes, you will need to create a new branch, and create a pull request to merge the modifications.