@Steven DeQuincey 

I've tested this quite a bit now...

For a WVD Windows 10 VM:

• MFA disabled, I can login without issue
• MFA Enabled, I cannot login
• Conditional MFA Enabled, I cannot login

For a Windows 365 VM:

• I can login regardless of whether or not MFA is enabled, a MFA prompt doesn't happen

I'm comparing this to local RDS or an RDS in Azure where authentication can be configured to require MFA, forcing a prompt on the Authenticator app to connect. I'm pretty sure W365 is bypassing MFA and am under the impression RD Gateway in WVD/W365 doesn't actually support MFA.  

I think I might have sorted myself out:

• Deploy Azure AD joined VMs in Azure Virtual Desktop - Azure | Microsoft Docs
  • Only works by default if the connecting machine is aad joined , hybrid aad joined, or registered to the same aad tenant
  • Need to also add targetisaadjoined:i:1 if you want to access via a web client or a non-aad machine
• Sign in to Windows virtual machine in Azure using Azure Active Directory | Microsoft Docs
  • Only works if you are excluding "Azure Windows VM Sign-In" from MFA so that a machine not using Windows Hello for Business can connect

I'm guessing that means W365 has all this setup to bypass these requirements.  Still doesn't completely make sense to me why it works when a user has MFA enforced...