Enforce MFA usage on users in a fail-safe way

[freakynl]

We have a customer whose helpdesk users all need admin accounts.

Customers needs MFA enforced on these accounts.

Currently the users need to add MFA themselves and occasionally lock themselves out. They can also disable it again.

We'd prefer a way that we can enable it on a user (and they can't disable) and that they won't be able to log on until the MFA is configured in a fail-safe way. As in redirect them to enrollment, show code, have them enter test code if it's okay enable/enforce, if it's not okay don't allow them to log on but start enrollment again when they try to sign in again.

[tomtakan]

@freakynl Admin users are allowed to disable MFA themselves. Normal users are not. Please clarify if you want to prevent admin users from disabling MFA. With regards to locking themselves out, how exactly does that happen as the instructions are clear do not show the QRcode unless you are ready to scan it. The QRcode can only be shown once otherwise it defeats the secure workflow.

[tomtakan]

This has been implemented and will be in the next release.