MFA for enrolled users only

Hi

I’d like to start allowing MFA to those users who want it, but not force it upon everyone. (Changing the MFA to ‘Always‘ appears to prompt everyone to enrol when they log in, so this is not an option.)

Is there a way, possibly with an action, to have a PostLogin event which checks if a user is enrolled in MFA, and if so, then triggers the MFA authentication process on every login? However, for users who are not enrolled (or just signing up), ignore MFA and log them in.

Thanks
Scott