We are looking to see if there is any kind of security that can be placed on AD so that if a malicious user would get a hold of said AD, they could not add "Domain Admins" to an account without a secondary factor. Either the request would go to another user where they would have to click on something to approve or deny it... or it goes to an MFA app. We do use DUO MFA for OWA and soon VPN, but I do not see how it could stop an admin from running ADUC as their administrator user, creating a new user and adding an admin account. Also if a hacker finds some kind of privilege escalation bug and wants to create a new domain account, this process should be emailed to CIO or other admins where they could click approve or deny. Of course either ignoring the request or clicking deny would not allow "domain admin" privilege to be granted to the user.
I do not see any provisions in the current Microsoft user interface for this kind of thing, but with security these days I wasn't sure if anyone is aware of a third party product.
We are on a 2008 R2 level domain.