>(How do you recommend implementing this flow while keeping the user on the page where the "administrative action" is performed?)

In WebSDK implementations a redirect to Duo for MFA is required. Maybe pop up a separate window for the elevation MFA and store the result in your application such that the elevated action knows that it was authenticated?

>Does the Web SDK have any limitations or constraints for handling multiple 2FA requests?

Each request should be independent but there shouldn't be an issue with multiple users authenticating concurrently or near-concurrently.

>Would implementing post-login 2FA for these flows with the Web SDK require any specific configuration changes or additional considerations beyond the default setup?

The Duo WebSDK and our service isn't going to know if the MFA requests it gets are coming from the initial log in to your application or from these elevated actions. I guess the one config you might want to warn against is using any Duo policy setting that allows bypassing MFA prompts i.e. if someone uses remembered devices and chooses to remember the device for initial app login MFA, that remembered device session could make them skip an active MFA approval for an administrative action, or if someone configures an authorized networks IP or IP range that skips MFA then the users also wouldn't perform active MFA approval for an administrative action, etc.

>If we decide to add mobile support for login
Should be fine as long as your mobile app can handle the redirect to Duo for MFA as well. Here's a Duo KB article with some advice about Duo's MFA prompt, the ability to use WebAuthn authenticators, and various mobile webviews: https://help.duo.com/s/article/8433.