If a user has Two-Step Authentication enabled and wants to disable it, they can go to the Settings > Account page. The Two-Step Authentication card will have a Disable button. If the domain is configured to require Two-Step Authentication, the Disable button will be replaced with a Reset button.
As for why the Enable button is greyed out for some users, that occurs when impersonating a user. This is because Two-Step Authentication requires action from the user to confirm they have access to an external email account or an authenticator app), depending on the method selected. As such, enabling Two-Step Authentication is not something that an administrator can do on behalf of a user.