Specify Active Directory users that require multi-factor authentication on Windows login (when the agent is not joined to a zone)

Use this policy to specify the Active Directory users that are required to use multi-factor authentication to log on to Windows computers. If you enable this policy, you can specify users by name in the following formats:

  • sAMAccountName
  • sAMAccountName@domain
  • userPrincipalName@domain
  • An asterisk (*), which includes all Active Directory users

Use quotes for names containing spaces, for example, “Krusty T. Clown”.

By default, no users are required to authenticate using multi-factor authentication.