...
As an authenticated user, that has editing rights to the targeted user use POST
[users] /users/{userId}/googleauth
The call of this endpoints sets above two three flags for the user: googleAuthAccount, googleAuthEnabled and googleAuthPending. They indicate, that from now on an MFA account has been set up, that MFA is enabled, and that the "enrollment" is pending.
With "enabled": false DELETE you would switch it off, again. Both All flags were then set to "false". the account is deleted.Switching on MFA for an already enabled user, would set both flags to "true", starting a new "enrollment".
WIth PUT you can temporary enable/disable the MFA, without deleting the account.
Authenticating using MFA
After switching on the MFA, a shared secret has to be exchanged during the first login process:
...