In addition to the require MFA for login role, which requires users to provide both their password and a second form of authentication to log on to a Centrify-managed Windows computer, you can enable multi-factor authentication for a predefined right. When you define a desktop, application, or network access right, you can choose to enable multi-factor authentication for that right. For example, if you want to require multi-factor authentication before a user can open a privileged desktop, you would issue that user a role with a predefined desktop right that has multi-factor authentication enabled.
To enable multi-factor authentication for a right definition:
- Right-click the predefined right after adding it to a role definition.
- Select Properties.
- Click the Run As tab and select Re-authenticate current user and Require multi‑factor authentication.
Note: Before defining this right, you should be aware that multi-factor authentication for Centrify-managed Windows computers relies on the infrastructure provided by the Privileged Access Service.