2FA enforced for all sub groups. Will this always be true?

Hi All

Trying to enforce 2FA for a main group, as well as all sub groups.
This since we need it enabled at all levels from top to lower, without anyone changing it.

I read and followed the

I ticked

  • Require all users in this group to setup two-factor authentication
    and ensured this one was not ticked
  • Allow subgroups to set up their own two-factor authentication rules

In my understanding this would force the users in all groups, and sub groups under this main group, to have to use 2FA.

But I have two confusions…

  1. If you add additional members to a project within a group or subgroup that has 2FA enabled, 2FA is not required for those individually added members.

  2. Projects belonging to a 2FA-enabled group that is shared with a 2FA-disabled group will not require members of the 2FA-disabled group to use 2FA for the project. For example, if project P belongs to 2FA-enabled group A and is shared with 2FA-disabled group B, members of group B can access project P without 2FA. To ensure this scenario doesn’t occur, prevent sharing of projects for the 2FA-enabled group.

Would anyone be able to shed some lights on this

Thanks in advance