Require MFA on Azure AD joined devices

fatshark_2k This is by design, where Azure AD joined or Hybrid Azure AD joined devices can get a PRT (Primary Refresh Token) issued with an MFA claim included during Windows logon when a user signs in with their organization credentials.  This fulfils the requirement for MFA, which won't be prompted separately.

https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token

This is also explained here:

"Trusted devices will improve user experience because the trusted device itself can satisfy the strong authentication requirements of policy without an MFA challenge to the user. MFA will then be required when enrolling a new device and when accessing apps or resources from untrusted devices."

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-resilient-controls#microsoft-recommendations

There is some further discussion on this here.  I worked with a customer that felt this was a security issue and ended up removing all laptops from Azure AD, as they wanted to control exactly when Azure MFA is prompted.