Currently, when an account does not have 2FA enforced globally, individual users can still enable 2FA from their own profiles.

This often leads to access issues, as users who enable 2FA individually may later get locked out or require the account admin to manually resend 2FA emails and help disable it.

Admins would like a way to control or restrict users from enabling 2FA on their own profiles when 2FA is not enforced at the account level.

Right now, the admin can enforce enabling 2FA globally from account settings, but the reverse control (preventing 2FA per user) is missing.

This feature would give admins more control and help avoid unnecessary access management overhead and user confusion.