Suggestion - Better 2FA? I was asking about the latter, master account enforcing 2FA on sub-admin accounts (or a role for some sub-admin accounts to do so for others)--sorry about the vague phrasing.
I can definitely understand the rationale, since we see extra volume of support requests any time 2FA is enabled without an experienced tech closely coordinating with the account holder. But in our situation, where everyone who would be accessing our portal as a sub-admin should be at minimum tier 1 service desk staff, and all of those accounts have administrative access on multiple levels for multiple tenants, and the time gap between account creation and introductory training dates for each system can vary depending on overall team capacity--it would bring significant peace of mind to be able to enforce 2FA.