Hi there @hunter1!
Unfortunately as you’ve noticed MFA does not complete until after Actions/Rules have executed - It’s outside the scope of an Action, but you could potentially look at ID token claims to see if MFA was performed, or add a claim to an access token to indicate that MFA was required for a given login and go about it that way. An ID token returned after a login requiring MFA will contain both the acr and amr claims:
Hope this helps!