Based on the available knowledge sources, Ory’s recommended and documented way to enable or configure multi-factor authentication (MFA) for a user is through self-service flows, which are exposed via REST APIs. These flows are designed for users to enroll and manage their own MFA methods, such as TOTP, SMS, or backup codes, typically through the user interface or by integrating with the self-service endpoints in your application logic. The documentation does not describe an alternative, purely administrative or direct REST API method to set up MFA for a user without involving the self-service flows. There is mention of administrative actions such as deleting credentials (e.g., disabling 2FA for a user) via the Identity Admin API, but not for setting up MFA on behalf of a user. The self-service flows are the intended and secure mechanism for MFA enrollment, as they require user interaction for pairing devices or confirming codes, which is essential for security and compliance reasons [Self-service flows](https://www.ory.sh/docs/kratos/self-service) [MFA overview](https://www.ory.sh/docs/kratos/mfa/overview). If you are looking for a way to programmatically enforce or require MFA, you can configure your project to require the highest available authentication assurance level (AAL) for certain operations, but the actual enrollment of MFA methods still happens through the self-service flows [Step-up authentication](https://www.ory.sh/docs/kratos/mfa/step-up-authentication). In summary: No, according to the documentation, there is no supported way to set up MFA for a user without using the self-service flows via REST API. All MFA enrollment actions require user participation through these flows.

Based on the available documentation, you cannot directly set up or enroll MFA (multi-factor authentication) for a user as an admin via the admin REST API. MFA enrollment—such as pairing a TOTP app, registering a WebAuthn device, or enabling SMS codes—requires user interaction through self-service flows. These flows are designed to ensure that only the user can securely register their second factor, which is essential for security. As an admin, you can manage some aspects of user credentials, such as deleting 2FA credentials (e.g., disabling 2FA for a user) using the admin API, but you cannot enroll or set up MFA on behalf of the user. The user must complete the enrollment process themselves via the self-service endpoints or UI integration [Self-service flows](https://www.ory.sh/docs/kratos/self-service) [MFA overview](https://www.ory.sh/docs/kratos/mfa/overview) [Github Issue: Disable 2FA via Admin API](https://github.com/ory/network/issues/378). In summary: No, you cannot set up MFA for a user as an admin; enrollment must be performed by the user through self-service flows.