Hi @exchanga
I believe this community post will be able to answer your questions.
Basically, you would need to set the MFA Policy to None and enforce it using a PostLogin Trigger so that whenever a user authenticates via the oauth2-refresh-token protocol, mfa will not be enabled.
If you have any other questions, let me know!
Kind Regards,
Nik