I want to share my opinion regarding your comment. I understand the need for a feature like this, but I would say; no MFA if you're working from a trusted device. If you force a user to approve MFA every day (by, for example, configuring a session control), it would be pretty evident that users might click on approve. But if you create a Conditional Access MFA policy with the setting Exclude Hybrid AD joined devices or compliant devices. They won't even receive an MFA request and will look strange when they will. So the chance of approval would be considerably smaller.
Don't get me wrong, but MFA challenges should be reduced and worry users instead of having more of them.
MFA approvals will always be a problem since you rely on your users. But luckily, we have features like risky sign-in that can recognize these kinds of potential hackers.