Your comments

Ideally, have an option whereby if a previously unknown user successfully authenticates via LDAP, then this user is immediately provisioned into the database and assigned roles based on LDAP group memberships.  You could also have it automatically send out the MFA notification for Google Auth if you have that enabled.

You can already do this using attachments to secrets, though it would be nicer for the process to be easier