Add MFA to Active Directory.
Enforce MFA on every domain authentication from a single DC Sensor on your domain controllers. No cloud sync, no proxy servers, nothing on workstations or member servers.
The DC intercepts the auth, then holds it until the user approves.
Every Kerberos, NTLM, LDAP, and SMB request is evaluated against policy at the domain controller. Service accounts are detected and skipped automatically. Every decision is logged for audit.
One MFA layer across every way into your domain.
Your IdP protects cloud apps. Authnull adds MFA to the infrastructure it misses — domain logons, RDP, RADIUS, and every server your SSO portal never sees.
Active Directory MFA
Enforce MFA on every domain authentication from a single agent on your domain controllers. No cloud sync, no proxies, nothing on member servers.
Kerberos · NTLM · LDAP · SMBWindows & RDP
Block RDP sessions, runas commands, and file-share access until MFA is approved — held at the DC.
RDP · runas · SMB sharesDomain admin accounts
Always require MFA on privileged logons — the accounts an attacker actually wants — while standard users follow your policy.
Domain Admins · tier-0Windows servers
Protect domain-joined member servers and DCs at logon — agentless, enforced from the DC Sensor with nothing on the server itself.
2019 · 2022 · coreTwo deployment modes. No software on endpoints.
The DC Sensor runs on your domain controllers and covers everything on the domain. Add the RADIUS Bridge for VPN gateways and network gear that speak RADIUS.
Agentless
RecommendedUse when: domain-joined Windows servers, desktops, and RDP access.
RADIUS Bridge
VPN · NetworkUse when: Cisco, Aruba, Juniper, Fortinet, or any RADIUS-capable VPN or firewall.
Require MFA exactly where it matters.
Scope policy by user, group, OU, source, and time — so admins from outside the network always hit MFA, while a desk in the office stays out of your way.
Your domain admins are the keys to the kingdom. Treat them that way.
Require MFA on every privileged logon — held at the domain controller until the admin approves. Service accounts are detected and excluded automatically, and every decision is logged for audit.
Works with your existing Duo or Okta — no rip and replace.
Authnull sits in front of AD and triggers push via the provider your users are already enrolled in. Bring your own Duo or Okta tenant, or use Authnull Wallet directly.
Six steps from download to enforced.
Configure Active Directory
Connect Authnull to your AD via LDAP — domain, IP, search base, bind credentials. No schema changes.
Install the DC Sensor
Deploy the lightweight DC Sensor on your domain controllers. It intercepts Kerberos, NTLM, LDAP, and SMB at the DC — nothing on endpoints.
Enroll users via Wallet
Users install the Authnull Wallet app and register their factor. Enrollment tracked per user — Registered or Pending.
Monitor user status
The dashboard shows every AD user and service account, their enrollment state, and last authentication event.
Set policy
Define who must MFA — by user, group, OU, source IP, and time. Start with Domain Admins, then widen.
Agentless MFA enforced
Policy goes live. Every covered domain authentication triggers a push — held at the DC until the user approves.
Active Directory MFA, answered.
Can you enforce MFA on Active Directory without Azure or Entra?
Yes. Authnull enforces MFA directly against on-prem Active Directory — no Entra ID, Azure AD, or cloud-sync required. It works on domain logon, RDP, and server access using your existing domain, so you can add MFA without migrating identity to the cloud.
Does Authnull MFA work for RDP and Windows logon?
Yes — MFA is enforced at interactive Windows logon (console and RDP), including Remote Desktop session hosts, jump boxes, and member servers. You can require it for everyone or scope it to privileged accounts and remote sources only.
Do I have to install software on every machine?
No. The DC Sensor runs on your domain controllers only — nothing on workstations, member servers, or endpoints. Domain logon, RDP, and RADIUS are all covered without touching user machines.
We already have Duo — do we have to replace it?
No. Authnull sits in front of Active Directory and can trigger your existing Duo push. If you already have Duo or Okta enrolled, users keep using the same app — Authnull just adds the AD enforcement layer.
Can I require MFA only for domain admins?
Yes. Policy is scoped by user, group, OU, source IP, and time — so you can require MFA for Domain Admins logging in from outside the network, while leaving standard in-office users untouched.
How long does it take to deploy?
Most teams connect the domain, set a policy, and enforce MFA on a pilot group the same afternoon. Agentless coverage needs no endpoint rollout, and you can widen from a pilot OU to the whole domain at your own pace.
Put MFA on Active Directory this week.
Start free on your own domain, or have us walk your AD environment in 20 minutes and map a rollout.