A client of ours asked us to find a secure and easy-to-use solution for their users to connect to a few internal web pages and RD-servers. The use of an authenticator is mandatory.
I've found a way to set it up, but I want to know if there is a better way to do it. If it's not, this can be considered as feature requests.
Right now there are two user groups in Active Directory; one group named mfa_setup and another one named mfa_users. Users in the mfa_setup group are allowed to sign in to the SSL webpage with only their username and password. No icons and apps are shown there, so they should only be able to set up the authenticator.
After this, an administrator has to move the user manually to the mfa_users group so that the user is asked for the authentication code next time. This also makes them able to sign in into the CudaLaunch app and use a basic set of resources.
I know this is possible in the full SSL VPN solution, but I want to provide users with a one time password and/or to let them sign in one time without the authentication code. But with that, they shouldn't be able to use any of the apps.