### Brief Description I have noticed from my testing for a ~"GitLab Ultimate" customer that [2FA enforcement](https://docs.gitlab.com/security/two_factor_authentication/) on ~"gitlab.com" **does not** apply to users with the [Minimal Access](https://docs.gitlab.com/user/permissions/#users-with-minimal-access) role. Once these users are added to a group/subgroup with Guest or above, they are susceptible to the 2FA enforcement. ### Current Behaviour Users with `Minimal Access` in a top-level group with 2FA enforcement enabled are not required to set up 2FA for their account. ### Expected Behaviour I would expect that with 2FA enforcement enabled, that all members in the group would have to enable 2FA regardless of their role.