Double MFA when logging into Win10 with SAML-federated AAD identity

Our environment is predominantly Mac + GSuite. We have some users who need Office Apps but GSuite is our collaboration platform. We have a few Windows users. I followed https://github.com/IAmFrench/GSuite-as-identity-Provider-IdP-for-Office-365-or-Azure-Active-Directory with a couple modifications to federate O365/AAD to GSuite with SAML.

While that works great for Mac users, Windows users have a few issues. I am managing Win10 laptops with Intune Device licenses and using that to enable Web Sign-in as well as mange device security posture and deploy a few applications. This allows users to log into their laptop with their AAD (Google-via-SAML) credentials. Google is enforcing 2-step auth so the user logs in with U/P and then 2FA. For some reason, even though MFA is set to Disabled for the user, they are prompted to set up (or use if they have already set up) Microsoft Authenticator to provide a 2nd factor to AAD. If they are disabled for MFA I have to enable their user so they can complete this step. I've looked at the Okta WS-Fed guide on how to signal AAD that MFA was used but have no idea how that might be accomplished in my scenario.

Once through the hoops the user sets up Windows Hello and it isn't really an issue with any frequency but it is really ugly and I want to fix it.

Is there a way to set all federated users to never be MFA-prompted while leaving MFA enabled for our non-federated admin user?

Thanks