Security comes up on HN a lot, but I'm amazed this particular issue never really seems to. For nearly any major incident write up, you'll see the same old story. Attacker obtained administrative credentials, abused them on a domain controller to own the whole network. Most recent example:

https://blog.talosintelligence.com/2022/08/recent-cyber-atta...

For a company that keeps blogging about the need for MFA[0], to have the major product they've been riding on for 20 years not support any reasonably manageable MFA truly can't be understated.

I do think one of the issues here is people misunderstanding the problem. Internet forums are awash with people asking about "MFA on Active Directory", and the answer is usually in the form of third party plugins for RDP connectors. But RDP is only one way to access and damage a domain.

[0] https://www.microsoft.com/security/blog/2020/03/03/single-si...