Requiring multi-factor authentication using computer roles

Computer roles enable you to group and provide access to computers through role assignments. One strategy you might find useful is to use computer roles to control where multi-factor authentication should apply. For example, you might have several computers with highly sensitive material where you want to ensure all user access will require multi‑factor authentication. To accomplish this goal, you can configure a computer role, then add and remove computers with sensitive information to control whether multi-factor authentication is required.

To require multi-factor authentication based on a computer role

  1. Open Access Manager.
  2. Expand Zones and the individual parent or child zones required to select the zone name that will contain the new computer role.
  3. Expand Authorization to select Computer Roles, right-click, then click Create Computer Role.

  4. Type the role name and, optionally, a role description, then select <Create group> for the Computer group to create a new Active Directory group for computers.

    For example, to create a new Active Directory security group for the computers with sensitive information, click Browse to select the Active Directory location for the new group. If you are using the default deployment structure, you would browse to a location similar to acme.pubs.org/Acme/Computer Roles then type a group name such as mfa_required_servers, select a scope, and click OK.

  5. Click OK to save the new computer role.

  6. Add the computers that require multi-factor authentication for access to the mfa_required_servers Active Directory security group.

    As you add computers to the Active Directory security group, the computers are listed as Members of the computer role.

  7. Expand the computer role you creates in Step 4, select Role Assignments, right-click, then select Assign Role.

    For example, if you created a new computer role with the role name CR_MFA_required, expand that computer role name to select Role Assignments, right-click, then select Assign Role.

  8. Select the predefined require MFA for login role definition, then click OK.
  9. Select All Active Directory accounts, then click OK.