Is it possible to setup Centrify DirectControl such that a user that is logging into a Linux machine through the Centrify OpenSSH Daemon is required to use MFA (Multiple Factor Authentication) but is NOT required to use MFA when running an SFTP client?
No. The MFA requirement follows the user account. When the sshd is called to do login authentication or SFTP, the MFA process is invoked before sshd invokes the SFTP-server to perform the SFTP function. MFA is required in both cases. The sshd does not distinguish between logging in to a secure shell and connecting for SFTP.