If you use a password vault, such as CA PAM or similar, you can leverage that to generate short-lived passwords for log in. About the best that can be done, so far as we've found; the "certificate" log in it has isn't MFA since it's an unprotected soft certificate.
While it's not directly MFA, it can meet the needs for a short-lived password that are only able to be checked out via a strong credential such as Smartcard or other MFA provider.
Then layer on other protections as needed.
Like if you have Splunk or some other log monitoring tool can implement monitoring of that administrative access to alert in the event it is "outside the norm" - e.g., a global admin logging in outside of standard work hours, unexpected IP address, so on. And only allowing administration on a non-exposed port that is locked down via firewall to only certain systems or network locations.
Basically layering in checks to ensure that (1) administration port is only exposed to those who need it, (2) a strong credential was used to check out a temporary password to begin with, (3) passwords are short-lived to reduce exposure, (4) all access is immediately logged, and (5) all access is actively monitored in the event of misuse.
This still leaves the emergency break glass account the app requires exposed - we did not have much luck having CA PAM manage that password yet. But this can be set to a very long random value that is not stored anywhere or kept in encrypted somewhere for emergencies - again monitored for use and alert if it is ever logged in with.
Edit: This is for the thick client, which is what I assumed you were using.