Admins should be able to at least disable 2FA/MFA for a selected user - since when they lock themselves out its a real problem.