Jul 19 2020 10:56 PMSolution
So, the following is from the Session Controls within a CA policy - "Time period before a user is asked to sign-in again when attempting to access a resource. The default setting is a rolling window of 90 days, i.e. users will be asked to re-authenticate on the first attempt to access a resource after being inactive on their machine for 90 days or longer".
More information can be found at - https://docs.microsoft.com/en-gb/azure/active-directory/conditional-access/howto-conditional-access-...
So I would think that you can work on the principle that after 2 hours of inactivity, they will be prompted for sign in, and at this point, they will be challenged to register for MFA.