You have federated Microsoft 365 with Duo SSO or Duo Access Gateway?
Is it possible the users in the other domain might be accessing M365 from clients using basic authentication or WS-Trust, which if enabled in Duo will skip 2FA?
Do the Authentication Logs for your Microsoft 365 application in the Duo Admin Panel show a reason why the users might be bypassing Duo? Perhaps their usernames aren’t enrolled in Duo and your new user policy allows unenrolled users access?
If these suggestions don’t help your best next step is to contact Duo Support for 1:1 assistance.