After verifying connector settings, you can use Active Directory Users and Computers or other tools to prepare an Active Directory group for the computers where you plan to require multi-factor authentication. Although you can use any existing Active Directory group for this purpose, the steps in this guide assume you will use a new group specifically for multi-factor authentication.
Multi-factor authentication requires computers to be members of an identity platform role assigned a specific administrative right in the Centrify Identity platform. You can add individual computers independently without using an Active Directory group. However, using an Active Directory group is the recommended approach and facilitates the deployment of computer roles that link user role assignments to computer groups.
To add an Active Directory group for multi-factor authentication
- Open Active Directory Users and Computers.
Select a location, right-click, then select New > Group.
For example, if you are using the default deployment structure, you might expand the Centrify organization unit and select Computers, then right-click to create a new group in that organizational unit.
Type a group name, select the group scope, and verify the group type, then click OK.
For example, type MFA-Group, select Global for the group scope, and verify the group type is Security, then click OK.