Answering your questions here-
- Is this the way it should work? Shouldn't I get CODE to my phone every time I want to connect to the VPN?
The Azure AD default configuration for user sign-in frequency is a rolling window of 90 days. If you would like to change it, here some recommendations given for the same in this document.
- I've found a guide about enabling MFA for Azure P2S VPN by creating a "Conditional Access" for Azure VPN in Enterprise Application in AZ AD. When I follow that guide, I can't complete it as it asks me to upgrade the AZ AD licecne to Premium when in Conditional Access section.
As you mentioned, using Conditional Access does require additional Azure AD Premium P1 license as given in document.
Hope this helps. If you need any further assistance regarding this issue, please feel free to add to this issue and we will be glad to assist. Thank you and have a good day!
Remember: