Can I define which applications on a tenant are eligible for SMS MFA, blocking this option for others, or is it cleaner to have separate tenants for apps that can/cannot use SMS MFA? TIA
Welcome to the Auth0 Community and sorry for the late reply.
You can reach this within a single tenant in Auth0 by using a post-login Action.
Firstly you must enable the Customize MFA Factors using Actions toggle in the Additional Settings section.
Then you can create an Action and select which applications should use the SMS factor by using the event.client.name parameter and set the desired MFA option using a method such as api.authentication.enrollWith.
You can read more about this in our documentation about Customize MFA Enrollments for Universal Login, which provides examples as well.
I hope this helped,
Remus