Answer
Start by separating users by risk and workflow instead of forcing one MFA pattern onto everyone at once. Interactive admins, remote access users, occasional approvers, and service accounts usually need different controls if the rollout is going to hold up in production.
The practical goal is to add MFA where compromise risk is real while preserving the fastest possible path for routine work. Buyers should ask vendors how MFA fits green-screen access, VPN, web apps, emergency access, and non-human accounts before they approve a rollout.