Not sure if it is currently possible do this, but can you control the requirement of multi-factor by role or authentication source?
So if you are asking that can you selectively ask for second factor of authentication only for certain roles then the answer is NO. Once you pass whatever authentication mechanism is configured roles are assigned after that step.