For domain users, you can configure your system to automatically download MFA tokens for offline MFA logins.
While you can use Microsoft Entra to authenticate users in computer MFA login, for downloading offline tokens, you need the DualShield MFA server or the SafeID Token Service (STS). There are 2 typical setups:
Setup 1:
- Configure the Computer MFA Logon Agent to use Microsoft Entra as the MFA service
- Configure the Microsoft Entra to use DualShield or STS as the MFA service via EMA (External Authentication Method)
- Configure the Computer MFA Logon Agent to download offline tokens from DualShield or STS
Setup 2:
- Configure the Computer MFA Logon Agent to use DualShield or STS as the MFA service
- Configure the Computer MFA Logon Agent to download offline tokens from DualShield or STS
If you prefer to use the Entra Conditional Access Policy for controlling access etc, then Setup 1 is recommended over Setup 2
When users sign in to computers using their Entra ID domain accounts, their tokens will be automatically downloaded to the computers.