I can see it’s possible to add a rule to conditionally enable mfa on a per request basis (as detailed here).
This requires the global “Require Multi-factor Auth” setting to be set to “Never”.
That all makes sense, we can trigger the MFA flow on a request by request basis using some arbitrary logic in a rule, which is very useful.
However, is it possible to do the opposite i.e. set the global “Require Multi-factor Auth” setting to be set to “Always” instead and then disable the MFA flow for select users instead?