Need to add more than 50 users to MFA exclusion in a resource

Hi all

I'm creating a resource that will be deployed on all our computers in the domain. The goal is to use authpoint logonapp ONLY when some administrative accounts logs into users' PCs. As far as I understand, the only way to do it is to create a resource with all our non-administrative users in the domain in the MFA exclusion list.
Unfortunately, MFA exclusion list supports max 50 users. I have 650 users in the domain.
Any suggestion on how we could reach our goal?

Thanks in advance

Comments

  • edited March 2022

    My Advice would be to make two Groups in your LDAP sync something like:
    AuthPoint-LogonApp
    AuthPoint-NoLogonApp

    Then you build two Authentication policies: One for "AuthPoint-NoLogonApp" that just has the password box checked (This tells AuthPoint to only require password)

    For the other policy (For AuthPoint-LogonApp) do the same thing but enable the MFA options you want (Push and QR Code are advised)

    Kaveats about this method:

    • Users must be in AuthPoint for them to have the rule apply. Which means you have to pay for an AuthPoint license for users even if they currently aren't using MFA.
    • Users that don't have MFA already will get an invite, so you will need to warn them and make sure they are aware/ can ignore (Policies that say "Password" with nothing checked will let users through even if token isn't activated so you don't have to worry about the pending tokens unless your OCD bugs you about it :wink: * )
    • This product is designed to have you lockdown your users machine with MFA, rather than lock it down for Administrator MFA... so the options are limited on what to do in your case.

    Also, That config file you are looking at updating isn't for random/mass users... it is for LocalAdministrator accounts (specifically accounts not in AuthPoint) so that you have a way to break-in (that isn't tied to domain or isn't in AuthPoint) if something bricks.

    We can wait and see if WG has any other alternatives but that is the way I have had to do it in the past.

    ~T

    Tristan Colo

Sign In to comment.