I've carefully followed all the steps in this guide:

I've enabled SSL, setup a certificate and verified connectivity. The server and end computer are on the same domain and I've deployed the agent through the GINA Installation console page.

Under the MFA section I've enabled the Endpoint MFA and the MS Authenticator.  Logging on to my test box runs as normal; no 2FA.  The Reset Pwd/Unlock link/button is present.

Under the MFA Settings, if I untick "Bypass TFA if ADSelfService Plus is down", logon still runs as usual.

There must be more to the setup than what's in the link above.  I'm out of ideas and troubleshooting steps. Has anyone got this working?