I looked through the posted articles, and I think the answer is this can not be done.
I have a paid account, from the web portal/login/vault I want to set a policy that all clients are required to use MFA and not count on the setup of the local client/extension.
Or to ensure MFA for use with the Premium Individual account?
As far as I am aware, so long as you have not selected the Remember me option, if your account (free or premium) has 2FA setup, then this will require verification during Login, but not for Unlock.
Sorry I was not clear, yes it is a premium individual membership. I have several devices connected to it, at wanted to setup MFA as a requirement in one place rather then setting it up each time. I have different vaults based on where I am accessing it from.
In the Web Vault, after you have set up a 2FA method (and saved the 2FA recovery code), use the option to Deauthorize Sessions (in the “Danger Zone” area). Then attempt to log in from one of your other clients. What happens — are you able to log in without 2FA?
Sadly that is not the behavior I am experiencing. MFA (Yubikey) is required to access my web vault, it is setup that way. It is not enforced ‘downstream’ to clients connecting, unless you manually configure the client itself.
Could you clarify this a bit more? As long as you have MFA setup on your Bitwarden Vault this should ask for your 2FA login for Yubikey (or whatever other 2FA methods are setup for your account) at every login.
The only cases this wouldn’t be prompted for 2FA would be if you are either Unlocking and not Logging in(as you already have your Vault data locally and only need to decrypt it, not authenticate yourself) or possibly if you have selected the Remember me option as described, which will not prompt you for 2FA for another 30 days
Were you able to try the steps outlined by @grb to Deauthorize sessions within your web-vault?