We’ve got a custom rule for controlling conditional MFA on one of our applications. As suggested in this document here, the rule is checking the
However, when users actually enable MFA, this property is never set on the user’s metadata, so MFA is never actually enforced on login.
Is this property supposed to be set manually? And if so, how, as at least as far as I can see when a user enables MFA via an enrolment ticket link/email, they are never redirected back to our application, nor is there any callback, so how are we to ever know they have enabled MFA to then set the property?
Any help on this would be much appreciated!