Enable secondary authentication on SPP group


I'm using One Identity Defender to enable the 2FA in Safeguard for Privileged Password.

I enabled the secondary authentication option in the Active Directory group's authentication tab on SPP but the users are still able to login without the OTP.

If I enable the secondary authentication on the single user it works fine.

Is there a workaround to enable that for many users all at once?

  • HI Daniele,

    If you enable it for a new AD Group where the users have not been imported already in SPP, does that work?

    It seems if the AD group is modified after the users have already been imported might not update existing users.

    You could utilize the Core API to enable it for each user in bulk possibly, otherwise, if deleting the users is an option (this will remove any associated entitlements too so be careful) and adding them back via the AD group but having set the setting on the AD Group before adding these users back is another option?


  • Simplest fix if you have existing users in your AD group. is make the change to group to use 2FA, delete all the users in the group and then let them re-import/synchronise. HAs worked for me in the past. Cannot speak or latest releases but I would assume it would be the same.

    Core API works as well but for me takes a lot more time to implement.

    Good luck Tim