Currently, when the External User Security feature is turned on, it applies to all external users (registered in a domain that is not verified in the Atlassian Organization). This means that those users will have to go through the 2FA challenge when trying to access sites registered under that Organization. 

A scenario where this can be problematic is when the company has multiple Atlassian Organizations, each one with its own subset of verified users. They are all from the same parent company, but can face challenges when accessing sites on their separate Organizations. 

Suggestion

It would be helpful to have the option to select which users would be covered by the External User Security feature.

The perfect scenario would be to implement a filter by domain, giving the option to exclude specific domains or decide which domains should be covered by the feature.