It depends on case-to-case basis, from the zero trust you will always enforce MFA, but If the user is logging from an office location the assumption, I make he has crossed all the necessary security gates to reach or connect office network like
1. showed some office ID to security, used the Office ID to gain access inside workstation has some username and password to log in to Wi-Fi access so in those cases I will exclude them from MFA as I assume there are some checks are done.
But keep in mind you must always enforce if the user is access to your guest WI-FI especially visitors.
The above are my thoughts for you to make a better decision as there is no straight forward answer
Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.
