How to enforce 2FA

I enabled 2FA with FortiAuthenticator and it works fine if the user is imported in to FortiAuthenticator. However, users who are not imported in FortiAuthenticator still can login without 2FA. How can enforce policy/settings to have 2FA for all users.

 

Which version of RAS are you using?
In my case (v19), I had to enable MFA from the restrictions (under the MFA itself or via Site Defaults). The site default was "Disable MFA if user or group is everyone"