Azure AD Application Proxy is intended for remote access to on premises applications.
It isn't recommended for on premises access.
However, if I did use it for on premises access, and required MFA, would I need to MFA every app, every time?
On-premises computers are hybrid Azure AD joined.
On on-premises "blue" computers, I want SSO to these apps.
On on-premises "red" computers, I want SSO but also MFA on these apps. For the sake of discussion, "red" computers are somehow less secure, and/or "red" computer users use more sensitive parts of the app. Hence, they must MFA to the app.
People on the "red" computers may need HR, Accounts and Marketing apps. They may dip in and out of these apps several times a day.
If people on the "red" computers have to perform MFA for HR, Accounts and Marketing every time they open them in the browser, there would be severe pushback.
Can it do it "once", and it "persists" for a reasonable time (say, a working day).