Force MFA with Credential Provider but only for specific AD groups?

Hey guys,

is it possible to force only specific Active Directory users/groups to use MFA on Windows machines although having the privacyIDEA Credential Provider installed and configured as the only valid provider?

I’m thinking of following scenario:

  • there are Windows workstations where normal users should be allowed to login without MFA, just by entering username and password
  • these computers are administrated by special “workstation admin” users (implementing admin tiering)
  • these admins should be forced to use MFA, so I would need to configure CP to be the only valid credential provider

But how (if even possible) would I exclude the normal workstation users from being forced to use MFA?
Maybe with a different policy which says “ok normal user, you do not need any token”?

Thanks in advance for any kind of response

Have a nice day!

For now I will test things with the authentication policy actions “passOnNoToken” and “passthru” :slightly_smiling_face:

There is no such configuration in the credential provider.

All authentication requests are sent to privacyIDEA and the server will decide whether a user has to use a token or if the second factor is correct.

This is right, you have to rethink the logic, just like you went with certain policies like passonnotoken…

Thanks, I solved it by adding an additional ldapresolver with basedn “ou=normal users” and two policies (authentication: “passOnNoToken: true”, webui: “login_mode: disable”).
I’m of course not entirely sure you should do it this way - but it works as intended.