ADFS 2.0 is running only on unsupported OSes. So I would start by updating your ADFS farm. It is documented: here (note that it is the pretty much the same process to move from ADFS 2.0 to Windows Server 2012 R2 ADFS or 2016 or 2019).
That said, you have two main roads here.
You can configure Azure AD to redirect users to your on-premises ADFS farm and DUO provider to perform MFA. That way, if you create a conditional access policy that enforces MFA to access let say SharePoint Online, when a user accesses SharePoint and did not do MFA, Azure AD will redirect the user to ADFS. The user will not have to provide username or password but just perform the MFA. This is done by enabling the -SupportMFA flag on the federation settings with the MSOnline PowerShell module.
Or you can configure DUO as a custom MFA provider in Azure AD. It is documented on their website. That way you don't need to use your MFA provider on ADFS at all (at least not for the Azure AD relying party trust). And you let everything being managed in the cloud.
On that second point, you could go one step further and not use ADFS at all if you can for Azure AD. ADFS is not a requirement anymore to have a Single Sign-On experience for your users. Have a look at this: Azure Active Directory Seamless Single Sign-On.
A couple of things here.
First, Azure Active Directory Seamless Single Sign-On does not require you to sync the hash of the users. You can make it work with the Pass Through Authentication mode (i.e. the authentication will still take place on-prem via an light weight agent that you can even install on your Azure AD Connect server to start with).
Then, I want to make it clear that your scenario is still using Conditional Access Policy in Azure AD. You just redirect to ADFS for the the MFA part. The trigger is still in Azure AD, so the trusted IP condition (and all other) still apply. What is not a good idea is trying to reproduce what Azure AD Conditional Access Policy in ADFS. But that's not your scenario.
Also, there is a free feature in Azure AD called Security Default. It allows customers to enable MFA for free on all users. But this requires to use the Azure MFA mobile app. So in that case the DUO provider won't cut it.
The role of ADFS when it is used for Azure AD (and by extension for Office 365) is really just to validate the user's password (well and in your case, perform the MFA).