Conditional Access VPN with Azure AD
I utilize Microsoft MFA with NPS and ikev2 today. It does the job, but it would be great if I could have clients authenticate first to Azure AD, then get a time based certificate from Azure where then the firebox has the Azure Root cert created via conditional access to just authenticate the session. It would provide a much more smooth experience.
I believe this would require the firebox to accept cert based authentication that is dynamic which I haven't found or been able to do.
For example see -
MS Guidance on setting it up and how it works.