No, you can actually block them from adding additional devices. Once they add a TOTP device, they can not add or change to another without admin approval.
But more to the point, if the admin requires the management of the authentication software, I.e. Bitwarden or authy or whatever, then they clearly have concerns about the security of the MFA on the user’s device. If text messages are no longer considered secure then we move to the TOTP apps, but now if we’re just summarily deciding the apps are no longer considered secure, we’re demanding a secure app controlled by the admin must be used for MFA.
Can we not see where this is going next? Are we really under the delusion that because we have this magical Microsoft Authentication app now, MFA need never become more secure? This is the end of the road, nothing else will be asked of the user ever again?
If the concern is for the security of MFA on the user’s side of that equation, then trying to manage that security on a device that company does not own is a waste of time. Eventually this is not going to be enough.
So let’s just skip this step entirely and move on to fully controlled company devices used for MFA.