Hi:

I'm working with a client currently using ~5000 Enterprise E3 & EM+S E3, and ADFS federation with AD Connect. I'm working with two AD security groups that are populated on-premises and get synchronized: All Company Users and Global Admins. 

They are self explanatory and Office 365 Global Admin accounts are in both groups. I am enforcing MFA for Admins all the time and Users when not on the trusted networks (we are on windows 7, but next year will go to windows 10 and I expect to manage this by device).

Should the policy below work?

Allow Access

Require MFA

Include Group: All Company Users ; Exclude Group: Global Admins

Selected Cloud Apps

Include: All Locations ; Exclude: Trusted locations

Using client Browser, Mobile and client Apps

I'm getting mixed results. Thanks for any help!

Tad