Hi @michal.k
Welcome to the Auth0 Community!
I have found that a different approach works reliably in my case while doing some testing, namely the steps outlined in our Knowledge Article on How to Enable MFA for a Subset of Users .
This will operate much in the other way of your approach, in that, MFA will not be required of every user, only from those that have a specific object in their app_metadata ( I would suggest setting the object in the app_medatada instead of user_metadata as outlined in the documentation, because users have Read-Only permissions to app_medatada, but Read/Write to the latter)
Alongside the Action itself, one difference to point out would be to actually make sure that Require Multi-factor Auth set to None. This is because we want MFA to be triggered according to the Action, and not out-of-the-box to everyone.
From my testing, this operated the way you intended to make it work, only users with "use_MFA" : true object in their app_metadata are prompted for MFA. The mentioned article also shows how to update the app_metadata both through the Dashboard and through Management API, in case you have a larger pool of users.
The Action that I used for testing is this:
exports.onExecutePostLogin = async (event, api) => {
if (event.user.app_metadata && event.user.app_metadata.use_mfa){
api.multifactor.enable('any', {allowRememberBrowser: false});
}
};
Hope this helped!
Gerald