1-Create a Networks device group
Administration > Network Resources > Network Device Groups , Call it 2FA-Devices
This is nothing more than a grouping, so 2FA can be applied to all devices in the group.
2-Create an external Radius token identity source
Work Centres > Device Administration > Ext ID sources
this is basically the part where you point ISE to you MFA provider, could be Azure MFA, could be Symantec VIP, Duo or whatever else is out there.
First you configure the port and IP address and shared secret of the external source (make sure connectivity is permitted, if you have a firewall in the path), so ISE can actually communicate with the external source. I have called the external source "EGW"; external gateway. Most external MFA sources will need to have the IP address of your ISE box(es) explicitly allowed to be able to communicate with it.
3-Create a 2FA policy set
Work Centres > Device admin Policy sets > Add
As you can see in the picture above, I am pointing the default authentication policy to "EGW". to use the previously added MFA external source. Also as you can see in the picture above, the condition is that this Policy set needs to be applied to devices in the group "2FA-devices".