Listing ALL users with 2FA

Really? you are expecting customers of a paid platform to use process of elimination to find user without MFA enabled? I understand that being able to enforce it might be a premium feature (even though it shouldnt)

Surely this is basic security 101 for an online platform, along with some other basic security features that seem to be lacking?

I dont think having security as a premium feature is really the way to go as this a basic necessity these days. and in the event a customer account is breached it will be Atlassian's name on the media posts and the shrugging of shoulders and a response saying should or paid us more money I dont think sounds very responsible.

Security should be for all versions (perhaps not free versions) and then enhance them with some extra levels but to restrict basic level security for all but the big spenders seems wrong, even MS offer the basic tiers a decent security suite

Hey @Paul Burville,
Apologies if my above statement has caused any confusion. In my above statement, I meant the "process of elimination" only entails a filter to be selected, which can be used once the export has been done. Please see the available process below. 

Find the accounts without two-step verification enabled

You can see a list of all accounts from your verified domains that don't yet have two-step verification enabled:

1. Go to admin.atlassian.com. Select your organization if you have more than one.

2. Select Directory > Managed accounts.

3. Select All accounts dropdown.

4. Under Two-step verification, select Not enabled.

We’ll provide a list of Atlassian accounts that are managed in your organization without two-step verification enabled. 

Alternatively, you can also reach out to Atlassian Support if you wish to get help. .

The MFA facility can be used by any user for their Atlassian account at no cost irrespective of the plan. However, as an organization admin, if you'd like to require all your users to enable two-step verification, you'll need an Atlassian Access (soon to be Atlassian Guard Standard) subscription. For such managed accounts, the domain has to be verified. 

I hope this clears any confusion. 
Doc: https://support.atlassian.com/security-and-access-policies/docs/enforce-two-step-verification/

Hi Yes I understand what you meant, it just seems that for something so simple I don't see what this cant be an option of the user list in admin, rather than having to create an export and then filter it, which seem pretty clunky. As I said I don't think security management should be the reserve of a premium subscription, I understand a free account not getting it. 

Thanks for responding though appreciate it.