For many reasons, an organisation might not want to enable multi-factor/two-factor (MFA/2FA) authentication on all users in the entire domain. Instead, one might just want to enable MFA/2FA on one or several groups only. This is in fact a common request in the initial stages of MFA deployment. This article describes the steps for enabling MFA on a group only, instead of the entire domain.
First of all, you will need to create a group in the AD server. For the instruction of this guide, let's called it "DualShield 2FA"
Then, in the DualShield console, you will create two Logon policies - a domain logon policy and a group logon policy.
You need to create a domain logon policy to instruct DualShield that MFA is not required for all users in this domain
Then, you need to create a group logon policy to instruct DualShield that MFA is required for all users in this group