There is a problem with user active directory

When ( windows11) join domain + install privacy idea agent

User can login ad+ privacy idea authen complete

But ***
User Can join domain without going through privacy idea onetimepassword by other login

This is a Microsoft Windows Feature!

By default the system allows all available credential providers (which you call “agent”). This is by design.

You need to enable the filter, so that it is restricted to the privacyIDEA credential provider.
Useful doc: