Hello @HK G ,
Thanks for reaching out.
AD FS when it receives an authentication request regardless of SSO configuration. First determines whether or not there is an SSO context (such as a cookie) and then, if MFA is required (such as if the request is coming in from outside) it will assess whether or not the SSO context contains MFA. If not, MFA is prompted.
Multi-factor authentication can be enabled at an AD FS server, at a relying party, or specified in an authentication request parameter. Check the configurations to see if they are correctly set. If multi-factor authentication is expected but not prompted for it, check if the claim rules in the relying party are correctly set for multi-factor authentication.
Multi-factor authentication prompt and check the configuration on the AD FS server and the relying party: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/troubleshoot-ad-fs-sso-issue#check-the-configuration-on-the-ad-fs-server-and-the-relying-party
For more information about multi-factor authentication in AD FS, see the following articles:
Under the hood tour on Multi-Factor Authentication in ADFS – Part 1: Policy
Under the hood tour on Multi-Factor Authentication in ADFS – Part 2: MFA aware Relying Parties
Multi-factor authentication (MFA) behavior: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-single-sign-on-settings
Hope this helps.
------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.