Member account root user best practices

Hello,

we are using AWS Control Tower and Account Factory for account provisioning. We have protected management account root email following recomended best practices, but we are not sure about member accounts.

Provisioned member accounts are created with random pregenerated password, if we wan't to secure new account root user we have to reset its password manually using Forgotten password and then configure its MFA.

What we'd like to do is

• Enable Disallow actions as a root user Guardrail for all OUs, which blocks all actions for root user including its MFA setup.
• Don't enable a password for root user after the account is enrolled as mentioned in https://docs.aws.amazon.com/organizations/latest/userguide/best-practices_member-acct.html#best-practices_mbr-acct_complex-password

In this case root email won't be able to do any actions. But the MFA won't be enabled so MFA for root user best practise and guardrail won't be satisfied. Also IAM dashboard will scream to all users that MFA is not enabled for root user (But we can explain our users that root email is "disabled" by SCPs).

What is the best practise here for protecting member account root user? It looks like best practices Disallow Actions as a Root User and Detect Whether MFA for the Root User is Enabled are mutually exclusive.

thanks Martin