We want to require Multi-factor Authentication for RDP login (and local login) going forward on our Windows Server systems. Currently all of our Windows Server systems are Windows Server 2016. We are using Azure Active Directory free tier (but are open to upgrading if that is required). We do not want to use third-party products in the mix.
So ideally we would join the Windows Server 2016 systems to the Azure AD. Then we would require Multi-factor authentication somehow.
We have not been able to find a simple guide on how to do this. There are some questions on StackExchange about this topic, but there either are no answers, or the questions are multiple years old and say it cannot be done.
Since it is 2020, and there is also the new Windows Server 2019 and 2016 OSes available, and since Windows 10 desktop supports MFA I wanted to ask this question:
How to achieve Azure AD + MFA + Windows Server 2016 RDP login?