HI,
You can start with VPN and for that ypu only need duo Auth proxy .
You can add duo Access Gateway for helping the registration process and user self service
Then you can also use Duo AG for federate with office 365.
You can define a group in AD ( DUO Users) and syncronize this group with duo in order to force only 2factr for this users bypassing all the rest.
You don’t need ADFS, but you can use if you whant to replace DUO AG.