Hi rdbrooks,
There are a couple of ways to approach this.
1: If you use our Duo SSO protection for AnyConnect, then you would be able to make use of Remembered Devices policies to prevent repeated 2fa authentications, assuming they all happen within the same browser.
2: Alternatively, assuming you are protecting the VPN itself with Duo, you can always leverage Authorized Networks policies to exclude the external VPN IP from 2fa requirement.
Please find the documentation for the Authorized Networks policy below:
You should take care however to not exclude the VPN protection itself from 2fa by using targeted application policies for the specific applications you wish to bypass when a user has already authenticated via the VPN.
Duo policies can be applied to:
With regards to policy conflicts the most specific policy applies.
Group Policy > Application Policy > Global Policy.
Please find the Guide to Duo Policies below:
https://help.duo.com/s/article/policy-guide