Hi Mitul,
Whilst, as Nino said, you can do this with ADFS and it’s a 100% legitimate answer I wouldn’t recommend this as it’s likely to be more expensive due to the cost of the servers (if you want it highly available), the added technical complexity and the fact that Microsoft no longer recommend ADFS over AAD Connect - they see it as a legacy solution.
Conditional access is the easiest and best way here. Typically, here in the UK it’s positioned that not every person in the organisation needs to have it so it’s very unusual for all to need to use an AAD premium licence. Plus, it is also about the other features of AAD premium such as application SSO. The organisation has to also see the cost of data leakage and an internal attack then will realise that AAD premium is in fact very cheap.
So I would compare both the cost of data leakage and the cost of ADFS as Nino suggested and the AAD Premium should win out. Another potential option is, if they had Business Premium, to go to Microsoft 365 Business as Conditional Access has been added recently - they would get the upside of Windows 10 Business and Intune alongside the benefit of Conditional Access.
In terms of paying nothing at all, then they would get location based conditional access and there is no way - as far as I know to work around it.
Hope that answers your question!
Best, Chris
