Specify Active Directory Users that Require Multi-Factor Authentication on Windows Login (when the Agent is not Joined to a Zone)
Use this policy to specify the Active Directory users that are required to use multi-factor authentication to log on to Windows computers. If you enable this policy, you can specify users by name in the following formats:
sAMAccountNamesAMAccountName@domainuserPrincipalName@domain- An asterisk (*), which includes all Active Directory users
Use quotes for names containing spaces, for example, “Krusty T. Clown”.
By default, no users are required to authenticate using multi-factor authentication.
