Hi there,
Maybe you can achieve this with a firewall Inbound outbound rule. I think MFA does not work when you log in to an existing (disconnected) session, it only works when you log in to a computer where the user previously logged out. This is was stated in article , for your end-users connecting to their desktops and applications, the experience is similar to what they already face as they perform a second authentication measure to connect to the desired resource
--If the reply is helpful, please Upvote and Accept it as an answer--