Specify AD groups that require multi-factor authentication

Specify the Active Directory groups in classic zones or Auto Zones that are required to use multi-factor authentication to log on or use privileged commands.

For example, if you want to require all members of the Qualtrak Admin group to use multi-factor authentication when they log on to computers that host sensitive information, you can specify that group in this policy. Groups specified in this parameter must be security groups. Distribution groups are not supported.

If you enable this policy, you can specify groups by name in the following formats:

  • sAMAccountName
  • sAMAccountName@domain
  • domain/container/cn

By default, no groups are required to authenticate using multi-factor authentication.

Note:   On computers running Centrify Express agents, you must set this policy using the configuration parameter. Group policies are not supported for Express agents. This group policy modifies the adclient.legacyzone.mfa.required.groups configuration parameter in the agent configuration file.