We can enable 2FA, but it makes more sense to force it in organizations. Is there a configuration for this?

Currently, it can't be set as mandatory, but it's possible to display a notification saying that 2FA is not enabled and it's strictly recommended to enable it. That's done by setting "ShowRecommendationToConfigure" to true in data/settings/modules/TwoFactorAuth.config.json file.

If you believe adding a configuration option for mandatory 2FA is something other users would benefit from, feel free to post a feature request at: https://afterlogic.uservoice.com/forums/106725-ideas-for-afterlogic-products
We use that resource when developing product's roadmap, so if the feature gets a good number of votes, there's a better chance of it getting implemented.