Specify AD users that require multi-factor authentication

Specify the Active Directory users in classic zones or Auto Zones that require multi-factor authentication to log on or use privileged commands.

If you enable this policy, you can specify users by name in the following formats:

  • sAMAccountName
  • sAMAccountName@domain
  • userPrincipalName@domain
  • domain/container/cn
  • CN=commonName,...,DC=domain_component,DC=domain_component
  • An asterisk (*), which includes all Active Directory users

By default, no users are required to authenticate using multi-factor authentication.

Note:   On computers running Centrify Express agents, you must set this policy using the configuration parameter. Group policies are not supported for Express agents.

This group policy modifies the adclient.legacyzone.mfa.required.users configuration parameter in the agent configuration file.