We use Azure AD Conditional Access in combination with AD FS and a third party MFA solution to force MFA for users from outside our network.
On our Azure AD tenant I've configured SupportsMfa $true, PromptLoginBehavior NativeSupport and PreferredAuthenticationProtocol WsFed.
On AD FS I've removed any Additional Authentication Rules, made sure there is a insidecorporatenetwork and a authnmethodsreferences claim on the Office 365 relying party trust.
Enforcement is done for all users except a few who are members of a specific group and on all cloud apps. That exception group contains some cloud-only users such a the AAD Connect service account.
The solution works as expected apart from a licensing quirk. Conditional Access is licensed through a Azure AD Premium P1 license.
When I remove the Azure AD Premium P1 license from a user I expect that Conditional Access stops working for that specific user and the he/she is unable to sign in and presented with some kind of error message.
This is not the case, Conditional Access keeps working for that user. I've tested this during several days after license removal.
Microsoft does not enforce license requirements for many of the products, thus in many cases removing a license is not a way to control access. Apart from CA, SharePoint Online is the prime example of this.