Lots of questions! :)
- Require MFA for ALL locations except for trusted locations (OR your IP range ) is the usual recipe here: https://learn.microsoft.com/en-us/entra/identity/conditional-access/location-condition
- Both apply: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policies
- See above, If the policy applies then all are applied. A user wont be asked to MFA twice since the existing token will already satisfy the requirement unless you also have a policy that has a diff auth context that needs to be fulfilled: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps
- Depends on your requirements. If you want to block high sign-in risk and allow MFA for medium, two policies are needed. IF you want to allow the user to MFA with both high and medium sign in risk , then only one policy is needed. If you want to also block high user risk, thats a separate policy.