Would it be possible to be able to give administrators access to remove MFA factors from a User Profile?  Or, automatically remove the factors that don't apply to the new policy I'd move them to, with a warning beforehand of course.   Here's my situation, let's say a user is using a Yubikey for MFA because we set it up for use to RDP into certain workstations.  Later, the user's duties change and they no longer are in that position so we would have them return the Yubikey and put them into another Policy.  At that point they no longer would need Yubikey MFA, but the Yubikey is still registered to this user and we cannot reassign that Yubikey to another user.  It was suggested to unenroll the user and have them enroll again.  However, doing that will require them to have to answer the security questions again which would seem like more work for the end user than should be necessary.