I want to enable MFA for all staff with the condition that they are only prompted for the second authenticator when they are outside of the office. For this to happen am i right in believing we would need to be on version 2016 of ADFS at the very least? We also want them to be able to choose between the APP and SMS \ Voice. (I`ve already posted earlier today about the issue of multiple SMS being received when firing up my laptop, Skype, Sharepoint, Teams etc.
I would also like the couple this with MDM, in particular for on-premise AD accounts with non-domain joined machines. These are external 3rd contractors carrying out work on the behalf of my company. I want to be able to manage \ limit what those machines can access in Azure, but I am struggling to find information on anything that is not domain joined.
In regards to restricting Non-Domain Joined devices to resources in Azure, you can use the Conditional Access Policy to only allow "Hybrid Azure Joined device" to access the Services. When the 3rd part contractor tries to access the resource with his/hers Non Domain Joined device, it will be restricted.