I was asked this recently but before I give the answer I think it is I would like to double check.

We have O365 configured with federation that redirects to our NAM environment. Once the user is authenticated through NAM the user is prompted for 2FA under certain conditions. This process works fine when using a web-based client (i.e. Firefox, IE, Chrome, etc.) but I was asked "what about standard clients like Outlook and Thunderbird?" I know the federation part of it works as the client prompts that appear let users login with their federated credentials but is there a way to have the NAM 2FA protocols kick-off against a stand-alone client like that? I don't believe there is since the stand-alone clients are not using web based login forms like NAM to authenticate users but rather use their own product integrated authentication methods. Is there a way to make these local clients use our NAM 2FA methods or are those clients free to subvert that extra layer of security? Is there another product like SecureLogin that would be needed to apply this conditional 2FA to these clients?

Thanks in advance for any feedback.