We enable the Adaptive MFA and use a flag/attribute in the user_metadata to handle the MFA notifications. For users with the flag set to false, we expect that they will bypass the MFA challenges as defined in the Adaptive MFA rule. However, when those users log in the first time, they still receive the email notification.
Adaptive MFA not only triggers MFA when the confidence is low (high-risk), but also ensures that when a login is risky (a bad actor is attempting to log in) and users are not enrolled in MFA yet.
With Adaptive MFA, Auth0 sends an MFA Enrollment email to users who are not enrolled with MFA yet. That’s why users will receive the email notification the first time they log in. This behavior is documented below: