You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

For many reasons, an organisation might not want to enable multi-factor/two-factor (MFA/2FA) authentication on all users in the entire domain. Instead, one might just want to enable MFA/2FA on one or several groups only. This is in fact a common request in the initial stages of MFA deployment. This article describes the steps for enabling MFA on a group only, instead of the entire domain.

First of all, you will need to create a group in the AD server. For the instruction of this guide, let's called it "DualShield 2FA"

Then, in the DualShield console, you will create two Logon policies - a domain logon policy and a group logon policy.

Domain Logon Policy

You need to create a domain logon policy to instruct DualShield that MFA is not required for all users in this domain 

Group Logon Policy

Then, you need to create a group logon policy to instruct DualShield that MFA is required for all users in this group