Different authentication for some users

The problem is Ash, we have MFA setup to protect these users and it's completely bypassed by a LMI arbitrary  "feature". We use their corporate email addresses to control access through central. The email addresses are sent to their corporate owned accounts which they don't have access to outside of the firewall. For users with cable modems who's ip's can change week by week, this feature raised helpdesk support calls for us internally and we have no way to go snooping through their email to provide them with the code, hence they cannot access their computers remotely. 

We do not want to link users "personal email addresses" with our accounts whatsoever as our auditors would have a field day with this. It much less secure because the chances of our users having their email address compromised is much greater than their phone sim being spoofed. This was a poorly thought out feature and it boggles the mind why LMI decided to circumvent MFA to a text message on the users device and just send it to the email account instead despite centrals administratively defined MFA policies.

Frankly, what's more perplexing is that there was never any notice to LMI customers thats this would take place until well after we recieved tons of support calls from our userbase.  A much more logical approach would have been to disable this feature for customers that have MFA policies defined rather than force a customer to MFA where LMI wants them to.  Forcing our users to create personal gmail/hotmail accounts just to use your service isn't going to work for us and is way less secure. 

In any event, we are already looking into alternative solutions for our users but it's sad after almost 10+ years as a customer this is the path we have to take because of some overzealous idea that doesn't make an ounce worth of sense for customers who are already using MFA on their accounts.