Thank you for posting this in Microsoft Q&A.
As I understand you have configured MFA settings to prompt for MFA only when users are accessing Azure resources from external network (Internet). Users should not be prompted for MFA when accessing Azure resources from internal network.
You can try to achieve this by configuring a conditional access policy in Azure.
You can define a conditional access policy by mentioning IP addresses range which should prompt for MFA while accessing Azure resources. You can configure this in Named locations in Conditional access policy. Once you create Named locations you can use this Named location in the conditional access policy that you create.
You can follow below article to configure CA policy with named locations using network IP ranges for MFA prompts.
https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-assignment-network
Let me know if you have any further questions.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.