Hello @Grant Mitchell · Welcome to Q&A Platform and thanks for your query.
After successful authentication, regardless of whether it is single factor or multi factor, Access Token and Refresh Token pair is issued to the user. Access token is short lived (1 hr by default) and Refresh token is for 90 days by default. Now, at the expiry of the Access token, Refresh token is redeemed to get new access token and when refresh token is redeemed, no user interaction is required and no MFA prompt occurs. For security reasons, Refresh token is bound to application and device and can not be used on any other device. Which is why users are getting prompted for authentication when they login to any other server in the farm.
The best possible solution in this case would be to add the public address which represent your RDS farm in Trusted IPs on MFA portal so that you don't get MFA prompt on your corp network. For this purpose, go to Portal.azure.com > Azure Active Directory > Users > Click on Multi-factor Authentication link > Click on Service Settings > Under the option "Skip multi-factor authentication for requests from following range of IP address subnets" add the public IP address/Subnet that represents your RDS Farm as shown below:
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.