This configuration parameter specifies a list of Active Directory groups in a classic zone or an Auto Zone that are required to use multi-factor authentication when logging on or using privileged commands. For example, if you want to require all members of the Qualtrak Admin group to use multi-factor authentication when they log on to computers that host sensitive information, you can add that group to this parameter.

Groups specified in this parameter must be security groups; distribution groups are not supported.

In most cases, you set this configuration parameter using group policy. You can, however, set it manually in the configuration file if you are not using group policy, or to temporarily override group policy.

By default, multi-factor authentication is not enabled for groups in classic or Auto Zones.

You can separate each group by a space or a comma and you can use double quotes or escape characters to included spaces or special characters in group names. For example:

adclient.legacyzone.mfa.required.groups: centrify_users, “Qualtrak Admins”, Domain\ Users

Supported group name formats

You can specify groups by name or you can list the group names in a file in the following formats:

  • SAM account name: sAMAccountName
  • SAM account name of a group in a different domain: sAMAccountName@domain
  • canonicalName: domain/container/cn

Specifying the parameter value in a separate file

To specify a file that contains a list of Active Directory group names, you can set the parameter value using the file: keyword and a file location. For example:

adclient.legacyzone.mfa.required.groups: file:/etc/centrifydc/legacy_user_groups_mfa.require 

In the etc/centrifydc/legacy_user_groups_mfa.require file, you would type each group name on its own line using any of the supported name formats. For example:

“Qualtrak Admins”
Domain\ Users