For many reasons, an organisation might not want to enable multi-factor/two-factor (MFA/2FA) authentication on all users in the entire domain. Instead, one might just want to enable MFA/2FA on one or several groups only. This is in fact a common request in the initial stages of MFA deployment. This article describes the steps for enabling MFA on a group only, instead of the entire domain.

First of all, you will need to create a group in the AD server. For the instruction of this guide, let's called it "DualShield 2FA"

Then, in the DualShield console, you will create two Logon policies - a domain logon policy and a group logon policy.

Domain Logon Policy

You need to create a domain logon policy to instruct DualShield that MFA is not required for all users in this domain 

Group Logon Policy

Then, you need to create a group logon policy to instruct DualShield that MFA is required for all users in this group


Please note that in the above example, we also apply the domain and group logon polices to an sepcific application, i.e. "Exchange OWA". Which means that these policies are effective on the specific aplication only. If a policy is not applied to any application then it actually applies to all aplications.




  • No labels