ESS Local Install with AD LDAP integration - Want to move to the cloud and have Multi-Factor Authentication for access - Can we keep our Active Directory integration?

We are a large organization with 800 staff both on premise and hybrid working from home. Currently we use SAGE ESS with local Active Directory LDAP accounts synced for staff to access. If off-premise hybrid staff need access to ESS, they need to VPN into their work desktop to access the local link sign in. We want to move the local install off premise to the cloud keeping the AD integreation (see our login portal) and have Multi-Factor Authentication sign-in? Is this possible are does it have to be pure cloud losing the AD integration but picking up the MFA?