AD MFA · Domain logon · RDP · Windows · Linux

Add MFA to Active Directory. No Azure required.

Enforce phishing-resistant MFA on Windows domain logons, RDP, and privileged accounts — directly on the on-prem Active Directory you already run. Agentless to start; add an agent only where you need offline.

Get in touch

No Entra / Azure AD dependencyAgentless or agentLive in an afternoon

Every access path

One MFA layer across every way into your domain.

Cloud MFA stops at the SSO portal. Authnull enforces a second factor on the logons that actually touch your domain controllers, servers, and admin accounts.

Windows domain logon

MFA at interactive logon for any domain-joined Windows workstation or server — console and remote.

Kerberos · NTLM · credential provider

RDP & RDS

Step-up MFA on Remote Desktop and session hosts — including jump boxes and bastion servers.

3389 · RemoteApp · gateway

Domain admin accounts

Force a stronger factor for privileged logons — the accounts an attacker actually wants.

Domain Admins · tier-0

Windows servers

Protect domain-joined member servers and DCs at logon — agentless via the domain or with an agent.

2019 · 2022 · core

Linux domain-joined

MFA on SSH and console for Linux hosts joined to AD via SSSD / realmd, through a PAM module.

PAM · SSSD · realmd

VPN & RADIUS

Bridge the same AD identities to VPNs and network gear over RADIUS — one policy, every entry point.

RADIUS · 802.1X

Deployment, honestly

Agentless or agent. We'll tell you which to use.

Start agentless and cover most logons in an afternoon. Reach for the agent only when you need to protect machines that lose network — laptops in the field, air-gapped hosts, OT.

Agentless

Recommended

User logonDomain ControllerAuthnull MFA

No software on endpoints — deploys through the domain & RADIUS/LDAP.Covers domain logon, RDP, VPN, and network gear.Fastest path to coverage and the easiest to roll back.Requires the machine to reach Authnull at logon time.

Use when: servers, desktops, and remote access that stay connected to the network.

Endpoint agent

Offline

User logonAgent + MFAMachine

Enforces MFA at the machine — works fully offline.Offline TOTP for air-gapped and disconnected hosts.Windows & Linux. Push via MDM/GPO.One lightweight install per protected machine.

Use when: field laptops, air-gapped networks, kiosks, OT — anything that must work without connectivity.

Granular policy

Require MFA exactly where it matters.

Scope policy by user, group, OU, source, and time — so admins from outside the network get a hardware key, while a desk in the office stays out of your way.

UserGroupOUSource IP / geoTime of dayMachine

Policy · Privileged remote accessenabled

WHEN user in Domain Admins
AND  source outside corp network
AND  time 18:00 – 07:00
REQUIRE FIDO2 security key
ELSE    allow with authenticator

Domain admin protection

Your domain admins are the keys to the kingdom. Treat them that way.

Force phishing-resistant, step-up MFA on every privileged logon — and make it the hardest credential in your environment to phish, replay, or reuse.

Explore privileged access

Step-up on privileged logon

Domain Admins and tier-0 accounts always hit a stronger factor than standard users.

Just-in-time elevation

Grant privileged access for a window, with MFA at the moment of elevation — not standing 24/7.

Bridge to full PAM

When you're ready, the same identities extend into Authnull privileged access — session recording, vaulting, and approvals.

Yes — MFA works offline and air-gapped.

Supported

With the endpoint agent, machines enforce time-based OTP without any connection to Authnull or the internet — so disconnected laptops, segmented OT, and air-gapped networks stay protected. This is the scenario that loses deals for cloud-only MFA; we built for it on purpose.

Supported methods

Phishing-resistant first. Familiar where you need it.

Pick the right factor per policy. We lead with FIDO2 and push, and we're honest about the weak ones.

FIDO2 / security keys

phishing-resistant

Push approval

number matching

Authenticator (TOTP)

offline-capable

Hardware OTP

YubiKey · tokens

Offline OTP

air-gapped

recovery only

SMS

not phishing-resistant

Passkeys

passwordless

Live in an afternoon

Three steps from download to enforced.

Connect your domain

Point Authnull at Active Directory and deploy the agentless connector. No schema changes, no Azure tenant.

~ 15 min

Choose your policy

Pick the users, groups, and OUs to protect, and the methods they can use. Start with domain admins.

~ 20 min

Enforce & enroll

Flip enforcement on. Users self-enroll their factor at next logon — pilot a group, then widen.

same day

Helps you evidence

SOC 2 Type II CCPA

FAQ

Active Directory MFA, answered.

Can you enforce MFA on Active Directory without Azure or Entra?

Yes. Authnull enforces MFA directly against on-prem Active Directory — no Entra ID, Azure AD, or cloud-sync required. It works on domain logon, RDP, and server access using your existing domain, so you can add MFA without migrating identity to the cloud.

Does Authnull MFA work for RDP and Windows logon?

Yes — MFA is enforced at interactive Windows logon (console and RDP), including Remote Desktop session hosts, jump boxes, and member servers. You can require it for everyone or scope it to privileged accounts and remote sources only.

Do I have to install software on every machine?

No. The agentless deployment protects domain logon, RDP, and VPN through the domain and RADIUS/LDAP — nothing on the endpoints. You only add the lightweight agent on machines that need to enforce MFA while offline.

Does AD MFA work offline or on air-gapped networks?

Yes. With the endpoint agent, machines validate time-based OTP locally with no connection to Authnull or the internet — covering disconnected laptops, segmented OT, and fully air-gapped networks.

Can I require MFA only for domain admins?

Yes. Policy is scoped by user, group, OU, source, and time — so you can require a hardware key for Domain Admins logging in from outside the network, while leaving in-office standard users untouched. It's the fastest way to satisfy an audit finding on privileged access.

How long does it take to deploy?

Most teams connect the domain, set a policy, and enforce MFA on a pilot group the same afternoon. Agentless coverage needs no endpoint rollout, and you can widen from a pilot OU to the whole domain at your own pace.

Put MFA on Active Directory this week.

Start free on your own domain, or have us walk your AD environment in 20 minutes and map a rollout.

Get in touch