In some circumstances, such as in the initial stage of deploying MFA across your entire domain and user base, you might not want to enforce MFA on all user accounts. Instead, you might consider enforcing MFA on some individual users or a user group only.
In this guide, we will describe how to configure your DualShield system so that MFA is only enforced on a user group called "DualShield 2FA". In other words, MFA will only be enforced on users who are a member of the DualShield 2FA group. All other domain users will be able to continue to login into the domain with a password only.
First, you will need to create a user group called DualShield 2FA in your AD server.
Then, you will create 2 logon policies in your DualShield server, a domain policy and a group policy.
The domain policy is bound to the entire domain, and multi-factor authentication is not required on all users.
The group policy is bound to the DualShield 2FA user group, and multi-factor authentication is required on all users.
Domain Logon Policy
| Option | Value |
|---|---|
| Category: | Logon |
| Holder: | Domain |
| Domain: | Select your AD domain |
| Name: | Describe the purpose of this policy |
| Apply policy to these applications: | Select the application that this policy will be applied to (If no application is specified, then this policy will apply to all applications) |
| Authentication: | Select "Multi-factor authentication is not required for all users" |
Group Logon Policy
| Option | Value |
|---|---|
| Category: | Logon |
| Holder: | Group |
| Domain: | Select your AD domain |
| Group | Select the DualShield MFA group |
| Name: | Describe the purpose of this policy |
| Apply policy to these applications: | Select the application that this policy will be applied to (If no application is specified, then this policy will apply to all applications) |
| Authentication: | Select "Multi-factor authentication is required for all users" |