The strategy is that MFA will only be enforced on users who are a member of the DualShield MFA group. All other domain users will be able to continue to login into the domain with password only.
The first step is to create the DualShield MFA group in your AD server.
Then, create 2 logon policies in your DualShield server. A domain policy and a group policy.
The domain policy is bound to the entire domain, and multi-factor authentication is not required on all users.
The group policy is bound to the DualShield MFA user group, and multi-factor authentication is required on all users.
Below is an example.
Domain Logon Policy
| Option | Value |
|---|---|
| Category: | Logon |
| Holder: | Domain |
| Domain: | Select your AD domain |
| Name: | Describe the purpose of this policy |
| Apply policy to these applications: | Select the application that this policy will be applied to |
| Authentication: | Select "Multi-factor authentication is not required for all users" |
Group Logon Policy
| Option | Value |
|---|---|
| Category: | Logon |
| Holder: | Group |
| Domain: | Select your AD domain |
| Group | Select the DualShield MFA group |
| Name: | Describe the purpose of this policy |
| Apply policy to these applications: | Select the application that this policy will be applied to |
| Authentication: | Select "Multi-factor authentication is required for all users" |
For the general guide of creating a logon policy, expand the link below
Select "Administration | Policies" on the side panel,
To create a new policy, click the "CREATE" button on the toolbar to open the policy editor window.
In the policy editor, firstly select Logon from the Category drop-down list
Policy Bindings
| Holder: | The policyholder defines the scope of the policy.
|
| Name: | A unique name that describes this policy |
| Applications: | Optionally, you can bind the policy to a specific application or a list of applications. To specify the application(s), select the field: Apply policy to these applications If the field Apply policy to these applications is left empty, then the policy will be applied to all applications. |
Policy Options
There are 3 authentication options:
- Multi-Factor Authentication is not required for all users
- Multi-Factor Authentication is required for users with tokens only
- Multi-Factor Authentication is required for all user
Multi-Factor Authentication is not required for all users
This option means that all users will be exempted from 2FA or MFA. This option is typically used to exempt a group of users from 2FA or MFA.
Multi-Factor Authentication is required for users with tokens only
This option means that users who have a 2FA/MFA token in their account will be enforced to login with 2FA/MFA, while those users who do not have a token 2FA/MFA token will be exempted from 2FA/MFA in the logon process.
Multi-Factor Authentication is required for all users
This option means that all users will be enforced to login with 2FA/MFA
Please note that users in the context of a policy include users in the scope of the policy only, i.e. the policy holder.