Problem:

You tried to enable 2FA in Keycloak as described in
https://docs.software-univention.de/keycloak-app/latest/configuration.html#two-factor-authentication-for-keycloak
but your user, being in the 2fa enabled group, and the group having the 2FArole adjusted, and the 2fa-browser flow is default, but still, the 2FA prompt does not appear.

Solution:

If you have more than one group mapper in your keycloak → ucs realm→user-federation→ ldap → mappers configured, with different filters, the synchronisation is not properly working. You should only have one group-mapper, with appropiate ldap-filters