Would it be possible to add a permission so 2fa users are excluded from the password expiry permission? For example if you have the force password reset set to once a year it will only effect users not using 2fa.
Thank you for suggesting this feature, it has now been implemented. We are aiming to include any changes that have been made in a future release (4.7.0).
Change log:
Feature: Optionally exclude TFA-enabled users from batch update actions