This configuration parameter specifies a list of Active Directory users in a classic zone or an Auto Zone that are required to use multi-factor authentication when logging on or using privileged commands. For example, if you want to require Bill Hill to use multi-factor authentication to log on to a computer that hosts sensitive information, you can add her to this parameter.

In most cases, you set this configuration parameter using group policy. You can, however, set it manually in the configuration file if you are not using group policy, or to temporarily override group policy.

By default, multi-factor authentication is not enabled for users in classic or Auto zones.

You can separate each user name by a space or a comma and you can use double quotes or escape characters to include spaces or special characters in user names.

For example, to specify that multi-factor authentication is required for users bill hill and tetsu.xu to log on to computers in an Auto Zone you would define the parameter value in the following way:

adclient.legacyzone.mfa.required.users: “bill.hill”,

Supported user name formats

You can specify users by name or you can list the user names in a file in the following formats:

  • SAM account name: sAMAccountName
  • SAM account name of a user in a different domain: sAMAccountName@domain
  • User Principal Name: name@domain
  • Canonical Name: domain/container/cn
  • Full DN: CN=commonName,...,DC=domain_component,DC=domain_component
  • An asterisk (*), which includes all Active Directory users.

Specifying the parameter value in a separate file

To specify a file that contains a list of Active Directory user names, you can set the parameter value using the file: keyword and a file location. For example:

adclient.legacyzone.mfa.required.users: file:/etc/centrifydc/legacy_user_users_mfa.require 

In the etc/centrifydc/legacy_user_users_mfa.require file, you would type each user name on its own line using any of the supported name formats. For example:

Domain Users