you can enforce MFA on the CA side or on the user-level. MFA in general does have a caching (refresh token). As long as your token will be flagged as strong authentication you don't need to do MFA again, so you can use the token to get access to something.
If you do on top now Intune App Protection Policies (aka MAM) then you can enforce "Access requirements" for Outlook to prompt the user for a PIN on start. This would require the user to enter the PIN every time the user starts regardless of your authentication token.
This is totally a valid setup, have seen several environments running this.