Configure Multi-Factor Authentication on ADFS (Globally or relying party trust)

We can Configure multi-factor authentication policies on AD FS (Active Directory Federation Services) by editing each relying party trust which only affects the particular application or globally by editing Global Multi-factor Authentication ADFS server level which affects all the application on ADFS, relying party trust does not override the global authentication policy, so you have to select which one is best for your requirement, I recommended to go with global authentication policy as this covers all the relying party trusts and application on your ADFS

Also Read: ADFS 2016 failing to add secondary members to the farm with missing SPN error

MFA is based on user or group membership, registered device or Unregistered device, network location external or internal, you can select above options based on your requirement

Also Read: Windows Server 2019 Features

Enable Multi Factor Authentication Globally

• Open ADFS Management
• Select Authentication Policies
• Edit Global Multi-factor Authentication under Actions
• Select Multi-factor
• Select the conditions 
  • user or group membership
  • device or Unregistered device
  • external or internal
• Select the additional authentication method
• The default method is Certificate Authentication
• You can also configure other methods like Windows Azure Multi-Factor Authentication or RSA Authentication

Also Read: Can we Replace on-premise Domain Controller with Cloud-based Active Directory

Also Read: Compare primary and staging Azure AD connect (AADC) sync servers

Enable Multi Factor Authentication on relying party trust

• Open ADFS Management
• Select Authentication Policies
• Select Relying Party Trust
• Select the relying party trust from the list
• Edit Custom Multi-factor Authentication under Actions
• Select Multi-factor
• Select the conditions 

Also Read: Active Directory 2016 New Features

Also Read: Difference between Windows server 2016 and 2019