We are going through similar testing with Azure SAML conditional access policies - by no means I'm an expert; this are just my observations:
You can be as aggressive in your sign-in frequency settings for the enterprise app for the portal and gateway and it will be honored, and can have different settings for different type of devices - the end experience (will the user get prompted for password or MFA?) really depends on your Azure SAML authentication setup. The good news is that you can follow the logs from the client to the firewall to Azure and see exactly what is happening and being requested- whether the GP client is requesting a full SAML auth, or using cookies, you can see also what Azure SAML has evaluated in the Azure portal, is the sign conditions for SAML met by a myriad of other conditions such if the machine is azure ad joined, has been unlocked using a work account, using another app, on a trusted network etc, on a compliant device, etc etc.
Hope that helps.
... View more