We tend to do a lot of experimenting. We have both Google Authenticator setup (easy), and SAML against Azure AD (difficult to setup) - and we have MFA enabled for Azure AD, so that uses the Microsoft Authenticator. NPS+Azure AD MFA is a pain because of the lack of logs and diagnostics when things go wrong. If you want MFA for client VPN use a third party solution, like the Duo RADIUS server. If you want to enable "global" MFA for the Dashboard use a third party SAML provider like DUO. You can also use AzureAD if you don't mind doing a bit of extra setup work and Googling. We use AzureAD because we already use Office 365, and it was more convenient to have the one system for everything.
... View more