When adding a new user, they must be placed into an existing Group, as Groups cannot be deleted. The Group is then assigned to a Policy based on the specific use case, determining whether the user will be prompted for MFA or not.
Note: DENY policies > ALLOW policies. If a user belongs to both types of Groups, the DENY policy will be enforced.