Thanks @john.gateley @adam.housman for the prompt response. Organizations is good (but needs enterprise/startup license for that), but my use-case is well satisfied with the Application <-> Connection combo…
I will try your suggestion of using Rules with clientID conditions for application specific MFA.
Thanks again.