@Anwar Mahmood If all the Red and Blue computers are Hybrid Azure AD Joined, they will have PRT (Primary Refresh Token). Once a user performs MFA on a Hybrid Azure AD joined machine, the MFA claim is stored in the PRT and user would not be prompted for MFA again till the time PRT is valid.
PRT is invalidated in case of Invalid user, Invalid device, Password change, TPM issues. for more information, please refer to How is a PRT invalidated?
-----------------------------------------------------------------------------------------------------------
Please "Accept as answer" wherever the information provided helps you to help others in the community.