I would like all of my users to use two-factor authentication. However, I want them to be able to save devices. Per this article (and personal experience), it does not let you save devices if you enforce the policy at the account-holder level. I would be satisfied with periodically checking the status of two-factor on my users' accounts. However I have not found a way to audit this. Is it possible?