Hi Brent - If you apply MFA via Azure Conditional Access Policy , it will apply multifactor authentication on modern app supported clients. Native mail clients might bypass MFA. But if you enforce MFA (via AzureAD MFA setting) it will enforce Multi factor authentication for all requests, so native apps e.g iOS client will require apppassword to access services. Supported apps such as Outlook app on Andriod/iOS follow modern auth flow and caches the MFA token (for 14 days) and remain signed in until token is invalidated (e.g. User changes the password or goes offline for longer). you can also configure the token lifetime (MaxAgeMultiFactor) if required - Pls refer to https://docs.microsoft.com/en-us/azure/active-directory/active-directory-configurable-token-lifetime.... Hope this helps.
I think it is either Conditional Policy or enforce MFA. If your criteria is location based rule and is to bypass MFA for trusted IPs and internal IPs(ADFS Claim), you can still specify those IPs in the service settings section in Azure AD MFA console. This will apply MFA policy to all apps.
If you noticed, there is a setting in the "Access Controls" section in Conditional Access Policy (v2), there is an option to specify "Require Approved client app". This does not include "Browser" as a client at the moment. I would really like to see this feature extended to Approved clients and Approved browser, which will allow us configure Conditional Access Policies to all/targeted cloud apps using CAP v2 conditions/rules.