Is MFA for On-Prem Servers Necessary in a Tiered AD Environment?

The author questions the necessity of implementing multi-factor authentication (MFA) for access to on-premises servers in a tiered Active Directory (AD) environment. Access to the servers is controlled by Group Policy Objects (GPOs) and limited to non-cloud domain accounts belonging to specific access groups (Tiers 0, 1, 2). The question also addresses the viability of a solution like Duo, given the absence of cloud accounts for Tier accounts and their inability to be enrolled. The author requests references to best practices or existing documentation.