Thank you for posting this in Microsoft Q&A.
As I understand you want to implement conditional access policy in Entra ID for MFA while accessing any of the cloud services. If user is using on-premises resources, then MFA should not be prompted.
This is achievable by configuring conditional access policy pointing to specific users.
You can follow below article to configure this in your environment,
https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-azure-mfa
However, Microsoft has made an announcement couple of months back to improve the security for all users in Azure by enabling MFA for all users.
Starting in October 15, 2024, enforcement for MFA at sign-in for the Azure portal , Entra portal and Intune portal will roll out gradually to all tenants. This phase will not impact any other Azure clients, such as Azure CLI , Azure PowerShell and IaC tools. This phase is expected to last until March 2025.
Starting in early 2025, enforcement for MFA at sign-in for Azure Command Line Interface (CLI), Azure PowerShell and Infrastructure as Code (IaC) tools will gradually roll out to all tenants.
For both phases, Microsoft will notify global admins about the expected enforcement date of your tenant(s) by email and through Azure Service Notifications, 60 days in advance. The countdown for enforcement for your tenant(s) does not begin until you have received this first notification from us. Additionally, we will send out periodic reminders to global admins at a regular cadence between the first notification and the beginning of enforcement for your tenant(s).
We will also allow a grace period for select customers with use cases where no workarounds are easily available and who need additional time (beyond the start date of enforcement for their tenants) to prepare for the MFA requirement at Azure sign-in. The first notification from us stating the enforcement date for your tenant(s) will also include a link to apply for the grace period. Additional details on customer types, use cases and scenarios that are eligible for grace period will be included in the notification.
This means any user who is part of Azure will have to go through MFA as second factor authentication if Azure is performing authentication for them.
i.e; If any user is access any resource and if there authentication authority is Azure, then all those users will be prompted for MFA.
Let us know if you have any further questions.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.