I'm working with a client currently using ~5000 Enterprise E3 & EM+S E3, and ADFS federation with AD Connect. I'm working with two AD security groups that are populated on-premises and get synchronized: All Company Users and Global Admins.
They are self explanatory and Office 365 Global Admin accounts are in both groups. I am enforcing MFA for Admins all the time and Users when not on the trusted networks (we are on windows 7, but next year will go to windows 10 and I expect to manage this by device).
Should the policy below work?
Include Group: All Company Users ; Exclude Group: Global Admins
Selected Cloud Apps
Include: All Locations ; Exclude: Trusted locations