Requiring a user to MFA once per day per device is normal for a work account - but that's already a lot compared to services like gmail.

After all, workers are mostly working in an access-controlled office or their private home; and your endpoint protection will be ensuring they're connecting from a company-issued laptop and that they have screen lock on a timer and a strong password.

I'm already validating something-they-know (FDE password) and something-they-know (OS password) and something-they-know (SSO system password) and something-they-have (company laptop). And once a day I'm validating another something-they-have (TOTP code/Yubikey).

Asking people to provide the second something-they-have several times a day seems like security theatre to me.