Have you any view in a theoretical scenario, if 2-factor authentication for all users was outside a companies budget, how would you go about risk assessing which accounts should be mandatory for 2-factor, and which accounts could be made exempt. Have you any guidance in a typical network which youd make mandatory if budget doesnt allow for all, and which youd make exempt.
Do you have a view on the benefits of having say 20% of your remote users using 2-factor for citrix/VPN etc, and 80% not, i.e. is there much point in pursuing this for the high risk 20%, and not 80%, or is it still worthwhile for as many accounts as you can afford.
I'd rather avoid a debate on "well you should do it for all"... and focus on your view on how to prioritise mandatory accounts that should use 2-facor, and lower risk accounts that could be made exempt