Sunny, my team is going to attempt to have different MFA policies by customer with the following strategy. We are going to add metadata to our enterprise connections that indicates if that connection enforces MFA. Then when a user logs in we check the connection metadata in a rule, if the metadata indicates MFA is enabled on the enterprise connection then we set:
context.multifactor = {
provider: ‘none’
};
Which would disable MFA.
Otherwise we could set
context.multifactor = {
provider: ‘any’
};
To force MFA, or just let adaptive MFA kick in for high risk logins.