Although I'm not familiar with getting ASA's to use MFA with NCM, you can see if there's a way you can leverage these ideas for multi-factor auth using the ideas in these links:
To the best of my knowledge, Azure does not yet have a solution for this.
Duo offers a "solution" whereby you can create exception lists for specific devices, addresses, subnets, etc. In that scenario, your NCM must be listed on the trusted list for not using MFA. In essence, using the IP address of the NCM device IS your second form of authentication.
I would not be surprised to learn Cisco is buying or developing an MFA solution. Whether they'll make it affordable, or whether it will be convenient to use with management tools like NCM remains to be seen.
The first link goes to a page not found