Re: How I can add MFA for non-corporate vpn users using Azure
on FortiGate, if you configure not just LDAP server to the group, but set local users, remote type ('set type ldap' for e.g.), pointing to LDAP, and equip those on-FGT locally defined users with FortiToken. Then when they log in and pass user/password verification they should be prompted for the token. Keep in mind that AD is case insensitive, so older you could circumnavigate 2FA on old FortiOS by changing username used to not match exact case-sensitive setting on FortiGate, but newer FortiGates do have that handled with " set username-case-sensitivity disable" ;-)
on FortiAuthenticator, you can sync users from that LDAP and let sync rules to assign tokens to those users completely automatically.