Hello @JKRRI ,
Thanks for reaching out.
Could you please confirm, how you enabled MFA for users ? through "Azure AD conditional access policy" or "Per-user Enabled/Enforced" from legacy MFA portal ?
Reason because, Per-user Enabled/Enforced Azure AD Multi-Factor Authentication is not supported for VM sign-in.
I see that you already have excluded "Azure Windows VM Sign-In" cloud app from conditional access, but when you have more than one policy created in AAD, then its worth to check out if same condition has been updated in all policy. The best way to find out list of policy applied for the user is to use What If tool in Conditional Access or user Sign-in Logs.
Hope this helps.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.