Web interface force authentication

The easiest and fastest way to accomplish this would be to turn on Basic Authentication in IIS for each of the web interfaces to force a popup asking for a username and password. An SSL cert on the web server needs to be in place to prevent credentials from being sent on the network in clear text.

In addition Richard Lambert 's suggestion, I recommend to customers that they deploy a security GPO to their users' browsers to force them to enter user names and passwords.

Thanks Richard that worked great

Hi Johnny, could you expand on that a little 

How do you enforce MFA for logging into the ActiveRoles web interface?

You can configure Federated Authentication in the Active Roles Configuration Center. This will redirect Active Roles web users to the configured IdP's web site for initial authentication. This can then be MFA, passwordless... whatever the IdP supports. Once authenticated, the user will be handed back to the Active Roles WI.

Have a look at the Admin Guide for the Okta configuration as an example:

Active Roles 8.1.1 - Administration Guide (oneidentity.com)