You can enable and manage MFA for any/all on-premise (Active Directory) users with a third party software called UserLock.
Enable MFA on Windows logins, RDP & RD Gateway, VPN and IIS connections. It also allows you to use on-premise AD credentials (and MFA) to securely access cloud applications such as Office365.
Hope this helps. More information at [http://www.userlock.com/