Enabling MFA for specific organizations in a single-tenant Auth0 setup — behavior for existing users?

Hi everyone,

My application uses a single Auth0 tenant that supports multi-organization authentication. We want to enable MFA only for some organizations — is that possible with this setup?

Specifically:

  • Can MFA be enabled per organization (not tenant-wide) in Auth0?

  • If MFA is enabled for an existing organization, how does Auth0 handle existing user accounts in that org? Will users be prompted to enroll in MFA on next login, or is additional migration/configuration required?

  • Any recommended approach or pitfalls to watch for (rules, Actions, Guardian, custom flows, or required settings)?