Under Security -> Multifactor -> Factor Enrollment, I have set two factors as optional, and I have a rule set to enroll users the first time they are challenged for MFA.
I also have an app-level sign on policy to challenge users for MFA once per session.
This means users are required to complete MFA enrollment for one of the two factors at the start of their next session. What I want to do is allow users to choose whether or not they’d like to enroll in MFA at all. I.e. allow users to optionally self-enroll. How can I do this?