We have received a requirement from client where they want MFA to be imposed mandatorily incase a user accesses certain sensitive applications. Ex., I login to myapps and am prompted for MFA and land on the desired page. On accessing a certain app from myapp I should be again prompted for MFA(irrespective of how long it has been since I logged in). With conditional access policies, though I attach 'Require MFA' on those applications, it doesn't prompt for MFA if I am already logged in and have a session. Any pointers as to how to achieve the intended functionality?
I don't think you can achieve this, if the session of the user is existing, it will not re-enforce the MFA auth.
So if you want the re-auth with MFA, you must need to clear the session, the closest way is to leverage the sign-in Frequency policy, but you can only set it to 1 hour at least, after one hour, the user will be prompted to sign in again. Before enabling Sign-in Frequency, make sure other reauthentication settings are disabled in your tenant. If Remember MFA on trusted devices is enabled, be sure to disable it before using Sign-in frequency.