Active Directory
Authnull adds MFA, conditional access, and privileged-access controls to Active Directory without changing how your users or applications authenticate today.
Everything starts from the Identity Providers screen (Admin → Directory → Identity Providers), where you register each AD domain and EntraID source, watch their connection and sync status, and enable MFA.
How it fits together
An AD integration has two parts:
- A registered directory — the connection details for a Domain Controller (domain, DC host, service account, sync filters). This is what you create in the Connect Active Directory wizard.
- A sensor on the Domain Controller — the Authnull component that reads authentication activity and enforces policy in real time. You deploy it in the Install DC Sensor step.
Once the sensor connects, the directory shows as Running on the Identity Providers list and begins syncing users, groups, and OUs according to your sync filters. From there you define enforcement with AD Policies.
Your users & devices
│ Kerberos / NTLM / RDP / SMB / LDAP
▼
Domain Controller ──► Authnull DC Sensor
│ │
│ ├── Policy check (AD Policies)
│ ├── MFA push to the user's phone
│ └── Allow / Deny verdict
▼
Active Directory (completes auth only on Allow)
Choose an enforcement model
| Model | When to use | Where it runs |
|---|---|---|
| Agent / DC Sensor | Standard deployment — install the sensor on each Domain Controller | On the DC |
| Agentless AD | Same sensor, deep-dive on protocol coverage and enforcement internals | On the DC |
Both models use the same Connect AD → Install DC Sensor flow. The Agentless AD section is the architecture reference for how enforcement works across Kerberos, NTLM, RDP, SMB, and LDAP.
Get started
- Connect Active Directory — register your domain and DC connection
- Install DC Sensor — deploy the sensor on the Domain Controller
- Identity Providers — manage and monitor your directories
- AD Policies — define MFA and access enforcement