Our application requires MFA with OTP for some user logins.
In the tenant MFA settings, One-time Password is set to Enabled, and Require Multi-factor Auth is set to never.
Then a Rule is set to require MFA only for users who meet certain criteria.
If for some reason a tenant’s OTP MFA is unintentionally disabled, an error will occur at login.
Therefore, we would like to request MFA after checking the status of the tenant’s MFA settings in the Rule, Is this feasible?
You can control the MFA settings with the management API. For example, you can enable/disable MFA factors with the /api/v2/guardian/factors/{name} endpoint.
This can be done from a rule/action. As a word of caution, the Management API has fairly strict rate limits and you should not be calling it or obtaining management API tokens every time a rule or action runs.