Azure AD Joined Machines To Get MFA Prompts at Signin
When an MFA protected user logs into windows 10 azure ad joined device. It just lets them in with their username and password. Can a system please be put in place which also prompts for MFA BEFORE letting them into windows, not by a small notification in the bottom to ask for it...

You can use Windows Hello for Business, that requires MFA to be setup and that can be used to authenticate to Windows as a strong hardware protected credential. In addition, you can also enable multifactor unlock with Windows hello that requires 2 different factors to be present for user to authenticate – https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock
Hope this helps