Hello @Raymond Ha ,
Thank you for reaching out. I would like to confirm that the logic you have described to prompt for MFA when AD Password is changed would not be possible to set using Azure AD Conditional Access Policy. Since Conditional Access Policy does not evaluate Last Password Change Timestamp attribute or Password Age to prompt for MFA or any other control.
You can instead use Sign-In Frequency force an MFA prompt every 30 or 60 days. Sign-In Frequency Documentation: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime
I hope this helps and hence would request you to please "Accept the answer" if the information helped you. This will help us and others in the community as well.