I am testing different Conditional Access policies with MFA, so I have 3 different policy;
Office local apps -> device is compliant -> grant
Office local apps -> MFA-> grant
Office web apps -> MFA->grant
With these options, users with non-compliant device does receive MFA but are still not allowed in. But same user opening office.com from non-compliant device via WEB does get into Office web apps fine. I would like to archive the scenario, that if device is not compliant, MFA would pop-up for Office local apps. Not sure, is it even possible.

