We have the following scenario, some users have BOX storage accounts and we need to configure a federated link between box and our on premise ADFS environment. This is well documented and standard setup. We would also like to integrate the ADFS with our on Prem Azure MFA server. So when people login they will also be prompted for MFA. But we also want to whitelist our office IP's so they don't have to use MFA, has anybody worked on this scenario ?
you just configure the ADFS rules to only require MFA when external. From you on-prem you contact the ADFS farm on the internal load balancer, externaly you use the ADFS proxies, this allows it to determine if you should use MFA.
the latest version of ADFS on 2016 supports the Azure MFA directly with out the on-prem server