Recently I have been tasked with setting up MFA for various infrastructure servers with high-level or very broad access. I was able to do this with the PRTG server website by rehosting it on an internal 2016 WAP server and authenticating through AD FS with the Azure AD MFA extension.
This is not a supported scenario like the reverse proxy or load balancer setup (https://blog.paessler.com/take-advantage-of-reverse-proxies-and-load-balancers-for-prtg-how-it-works), but replacing the reverse proxy with a WAP server is basically the same concept. Unlike the reverse proxy, the WAP requires AD FS.
It takes two logins because I cannot figure out how to make PRTG take Integrated Windows Authentication so that it passes through, but it works.