Hi @ben24,
Welcome to the Auth0 Community!
Thanks for the details.
Post Login Actions runs on every time a user authenticates (including the silent auth that happens during SSO between apps). This means that you are going to see a prompt for MFA every time there is an auth event.
To avoid the second prompt for MFA, you need to add some conditional, whether it is based on time (i.e. storing a timestamp in app_metadata), or type of authentication (this thread might be helpful).
Either way, you are in control of when/how MFA is prompted when you use an Action, so make sure to evaluate whether or not it is securing your app properly.
Hope this helps!