Hello,
I can see it’s possible to add a rule to conditionally enable mfa on a per request basis (as detailed here).
This requires the global “Require Multi-factor Auth” setting to be set to “Never”.
That all makes sense, we can trigger the MFA flow on a request by request basis using some arbitrary logic in a rule, which is very useful.
However, is it possible to do the opposite i.e. set the global “Require Multi-factor Auth” setting to be set to “Always” instead and then disable the MFA flow for select users instead?
Thanks,
Lee
I had this same problem. Finally found some documentation here: Customize Adaptive MFA with Rules
I ended up implementing a rule like the following:
function disableMultifactorForSpecificUsers(user, context, callback) {
if (user.app_metadata && (user.app_metadata.skip_mfa === true)) {
console.log(`${user.email} skipping MFA`);
context.multifactor = {
provider: 'none',
};
}
callback(null, user, context);
}
And then under the specific users that are allowed to skip mfa added a "skip_mfa":true item to the app_metadata so that we control who can skip and who can’t. Our primary use case is developers when the sms messages goes beyond 10 per hour for a user, and for the app reviewer user for app store.
I hope this helps,
-jeremy
Welcome to the community @copiousfreetime and @lmcmullen - Thanks a bunch for the follow up on this @copiousfreetime 
A quick note for future community users - I’m not positive (yet) that there is an equivalent to this using Actions, but going to route mentioned requiring multi-factor auth set to “Never” in Security → Multi-Factor Auth.
exports.onExecutePostLogin = async (event, api) => {
//skip mfa for users with skip_mfa flag in app_metadata
const userAppMetaData = event.user.app_metadata;
if (!(userAppMetaData.skip_mfa == true)) {
console.log(`user ${event.user.email} mfa enforced`)
api.multifactor.enable(`any`);
} else {
console.log(`user ${event.user.email} skipped mfa`)
}
};
Hope this helps!