Generally speaking, yes. But there are a number of corner cases where the details kind of matter, which is why I was asking those questions.
One Enterprise Application should be fine in most use cases.
In my opinion, the best place to set up MFA, especially Azure MFA, is on the UAGs. The question about internal MFA comes down to "who is required to use MFA internally" and "what is the use case driving it."