Duo exposes a REST API while the Microsoft Identity Platforms exposes OAuth2 and SAML enpoints. The closest you will get to "only" initiate MFA and do not receve a token is to use the Authorization Grant Flow which will yield a code only. For MFA to be initiated an appropiate Conditional Accesss policy must apply, Azure AD Security Defaults must be enabled or per user MFA must be enabled.
You might replace ping querying the OpenID Connect metadata endpoint with a GET request:
https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
And you can initiate the Authorization Grant Flow doing a GET request to the following endpoint:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?client_id={app id}&response_type=code&scope=.default
---
Please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.