Duo with RD Gateway - what to do about security without CAP/RAP?


We’re evaluating using Duo for our RD Gateway service, but I’m having a hard time with giving up our RAPs and CAPs. We use them extensively to lockdown our remote users.

What are people doing without them? Simply relying on the user in question not being in other computers Remote Desktop Users group? I would not like an attacker to have full access to our domain with one compromised phone/credential. It almost seems to me that a RAP/CAP is more safe for the greater good of the domain (while less safe for the individual PC, admittedly) than Duo + No-RAP/CAP.

Hopefully I am missing something very obvious!