For security enhancement, I'd like to enforce MFA for everyone trying to access our Google Cloud project(s).
Our project has third-party partners, some of which doesn't have a domain and is using gmail.com addresses for authentication.
I did saw a similar topic, but it did not clarify what will happen to the users that do not belong to the same organization as the GCP project.
AFAIK, enforcing MFA can be enabled in Cloud Identity, which is not a Google Cloud product but a subset of Google Workspace. And, for accounts with gmail.com, there's no way I'm able to access the Cloud Identity settings for gmail.com.
In AWS IAM, we can use aws:MultiFactorAuthPresent in IAM policy condition for something similar to have conditional access for users with or without MFA.
Is there any way to reject Google API request from user has permission but without MFA enabled?