If we have a CA policy that requires mfa and a device to be compliant, when will the user get the mfa prompt? after they enter in username into the application or portal? or will the CA policy just flat out deny the auth attempt because the device is not compliant ?