Would the same issue apply “If a client is reporting as intranet and talking to CMG it wont use AAD auth. We’re investigating. Workaround is to make an MP available to the VPN boundary”, if a client is not using a VPN, but is actually on-premises and is showing Intranet.
This is what we are seeing. We currently have two MPs on-premises and they are available to all boundaries.