You may find this information from our AD FS documentation is helpful in understanding and resolving your issue:
Note that any MFA assignments made via the Global Authentication Policy editor are effectively “OR” rules, so each individual condition always applies. If you were to add a specific group (like ACME\Duo_Users) to the Users/Groups section, and then also check the box for the Extranet location, you may expect that the net effect is that members of the ACME\Duo_Users who access AD FS externally require MFA while members of that group accessing AD FS internally and any user who is not a member of that group do not require MFA. Since the GUI creates “OR” rules instead of “AND” rules the net effect is actually that members of ACME\Duo_Users always require MFA regardless of location, while users not in the ACME\Duo_Users group accessing AD FS externally also require MFA.
If you’re not expecting to be prompted, please ensure you have not checked the relevant Extranet or Intranet box as well, as it could be the reason you’re being prompted.