When ( windows11) join domain + install privacy idea agent
User can login ad+ privacy idea authen complete
But ***
User Can join domain without going through privacy idea onetimepassword by other login
This is a Microsoft Windows Feature!
By default the system allows all available credential providers (which you call “agent”). This is by design.
You need to enable the filter, so that it is restricted to the privacyIDEA credential provider.
Useful doc: