@Dashrender I'm a 3rd party to the end customer here. Acting as the middle man as the customer's IT department wanted to engage outside support to try and vet different products.
I candidly told the customer that while this product will work, it won't work with all of the features they want without some substantial changes to their infrastructure and that the support (at least from this vendor) is pretty awful.
The simple approach here is to not integrate RFID/HID's to the system and simply use the AD Integration with the built-in QR codes that each member is assigned.
Just because something may be supported, doesn't imply that it is support.
Except in this case the vendor very clearly has stated they support you adding custom attributes within AD.
I ought to have clarified. DUO MFA comes into play with Outlook for our mailboxes that are in Exchange Online. On-prem mailboxes (the few we have left aren't subject to DUO).
Are those that are left on prem - are they actual users? If so, I'm curious why they can't be migrated?
Eventually all users will be migrated, so, yes, we still have real users on-prem.
This is outside the scope of the original question / scenario, but I've learned a good bit during this process with much of that learning validating a few things I already knew, such as the value of taking the necessary time to plan, and prep the environment for migration (removing unnecessary objects, etc.).
Make an AD group called workstation_admins and add that group to local administrators account on each desktop. This group does not need any AD rights and nobody's account should be in there except for IT admin accounts. Even those IT admin accounts should not be used on local desktops to login on a regular basis. Only when elevation is actually needed, and even then you should use run as.
I do this - Those who need it have a workstation admin account and a local non admin normal account.
I am surprised that MS didn't come out with a better solution for this ages ago. That whole Direct Connect or whatever it was called - phone home VPN solution they have for Enterprise edition only - what a kluge.
They are working on phasing this out. DirectAccess was a kludge that is being replaced by Always-On-VPN. Which works on versions of Windows Professional and Up and requires very little outside of a certificate and Group Policies (or Intune).