OWA MFA only for External users

We have users that access our Exchange 2013 server over OWA from both inside and outside our network. We would like to implement DUO MFA ONLY for users accessing OWA from the internet. We do not want our internal users to be prompted for MFA. Is this possible?

Yes, you can accomplish this via an Authorized Networks policy.

Looks like we need the premium DUO service for this. I am trying to get approval to upgrade. Would we be able to apply that just to certain protected applications? There are internal things we want protected by MFA also

Yes, you can apply an application-level or global authorized networks policy with Duo MFA (the least-expensive paid edition). You can learn more about our editions here: Pricing | Duo Security