On https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa it explains how you could enable it globally as an alternative to using the password.
Can I do this for only one RPT instead (extranet login via WAP 2016)?
