is it possible to force only specific Active Directory users/groups to use MFA on Windows machines although having the privacyIDEA Credential Provider installed and configured as the only valid provider?
I’m thinking of following scenario:
- there are Windows workstations where normal users should be allowed to login without MFA, just by entering username and password
- these computers are administrated by special “workstation admin” users (implementing admin tiering)
- these admins should be forced to use MFA, so I would need to configure CP to be the only valid credential provider
But how (if even possible) would I exclude the normal workstation users from being forced to use MFA?
Maybe with a different policy which says “ok normal user, you do not need any token”?
Thanks in advance for any kind of response
Have a nice day!