As a identity manager, I would like to see a user-level setting (rather than tenant-level) that determines whether two-factor authentication is required or not.
