Enable this configuration parameter to require multi-factor authentication for users to run the dzdo command. If you enable this parameter, users will be required to authenticate with MFA if they are required to re-authenticate to run dzdo, and are listed in either adclient.legacyzone.mfa.required.users or adclient.legacyzone.mfa.required.groups.

You must enable adclient.legacyzone.mfa.enabled for this policy to take effect.

This configuration parameter does not support rescue rights; users listed in adclient.legacyzone.mfa.rescue.users will not be able to run dzdo without MFA.

To enable this policy, set this parameter to true. The default value for this parameter is false.

For example:

dzdo.legacyzone.mfa.enabled: true