The best option is to enable SAML authentication. The IdP (Azure AD) would handle the MFA part and after successful authentication a session is set-up.
It might be needed to enforce MFA authentication for the SP-initiated authentication flow.
Please take a look at: IdentityIQ SAML support guide
– Remold