By default, users who log in to Salesforce through an authentication provider that supports single sign-on (SSO) are no longer subject to multi-factor authentication (MFA) challenges in Salesforce. To restore MFA challenges for those users, you can update the session security levels for their assigned profiles.
Where: This change applies to Lightning Experience, Salesforce Classic, and the Salesforce mobile app in Personal, Group, Essentials, Professional, Enterprise, Performance, Unlimited, and Developer editions.
How: To restore MFA challenges for a user, set Session Security Level Required at Login to High Assurance and confirm that Multi-Factor Authentication is in the High Assurance column.