Email authentication factor has been relocated to its own dedicated device card and is now presented as an independent authentication factor in the authentication prompt. Any user who has an email address associated with their account will be shown this device card if the Authentication Factors policy allows it.
To preserve prior behavior, these devices don't count towards a user’s enrollment status, requiring them to enroll or associate one non-email device (for example, mobile phone, security key) before being allowed to perform MFA.
User-initiated enrollment of email addresses is not supported. Only administrators or automated provisioning systems (SCIM, EAA) are allowed to set user’s email addresses. Users may only have one email address associated with their account.