Privileged Access Service is most often used to store information about people and devices, to identify different classes of users and devices, and to define the policies that specify what different classes of users and devices can do. To support multi-factor authentication, however, you must also add Centrify-managed computers to the access service.
Any computer that will require multi-factor authentication must also be added as a member of an identity platform-based role. This step is similar to adding computers to a zone. For multi-factor authentication, an identity platform-based role has computers as members and is managed through Privileged Access Service. It is separate from the role definitions and role assignments you manage using Access Manager or other Server Suite components.