Hello @PhoneBoy is there any update from checkpoint on when you will be supporting this SAML parameter for the MFA issue? See @Paul_Hagyard 's Post above
See official response from Microsoft below
This could happen when your device is registered/Azure AD joined/hybrid joined to your organization's Azure AD, in case of which a PRT (Primary Refresh Token) is issued to the device. The PRT is then used to provide a seamless single sign-on experience by automatically signing in with the account used to log in to the device. If there was MFA prompted initially in the process of device registration/Azure AD joined/hybrid joined, then even MFA claim is stored in PRT.
Now, whenever user tries to access any application from this device, and if there is any conditional access policy which is configured to prompt for MFA while accessing, then Azure AD will make use of this PRT and both first factor authentication and MFA will not be prompted as PRT contains the MFA claim in it.
You can refer below article to know how PRT is utilized during app token requests,
To require users in your organization's directory to prompt for MFA every time they access the application, you need to update your application code to include forceAuthn="true" parameter in the authentication request. This is an SAML parameter that forces interactive authentication regardless of whether a valid PRT and/or Cookies are present or not.
Read more: https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol