Modern authentication is definitely enabled on the backend.  

What other things should I be checking to identify why my desktop apps don't get prompted for 2FA?

Hi, Azure AD sign-in logs are useful, search for the entries that correspond with the activity you have mentioned and see what CA policies are applying or being skipped.  Also, I'd play around with the what if tool to model your expectations.

Also be aware in some circumstances a trusted device won't always prompt for MFA, as the device itself is considered the second factor.

@Cian Allner,

I'm not familiar with the "What If" tool?

I already gave you the list of things to check, if you mean the actual keys, this article lists them: https://docs.microsoft.com/en-us/exchange/troubleshoot/modern-authentication/modern-authentication-c...

The best tool to use in troubleshooting is Fiddler, or anything else that can capture a network trace. But at this point, you can just show us what exactly you are seeing in Outlook, for example when configuring a new profile.

@OneTechBeyond 

Here it is, I use whenever I am working on CA along with the Azure AD sign-in logs, it tells you a lot on what's happening.  

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/what-if-tool

The below shows activity in Outlook desktop client when the user was interrupted to register for MFA after signing in, per the requirement.

Here is a bit more info on trusted devices NOT prompting for MFA in some circumstances here which is by design. 

@Cian Allner,

Ah OK this makes more sense to me, if the theory is that if I'm logging into an Azure AD Joined device, then that initial login is what the native Office 365 desktop apps consider to be the 'second auth' method.

However, at first setup, I'm still required to use an App Password when initially configuring my Outlook 365 clients on these Azure AD Joined devices.   Is that the expected behavior, even with Modern Auth enabled on the backend?