AD Policies
AD Policies decide what happens when someone authenticates against your domain — allow it, require MFA, deny it, or just notify. Manage them under AD Policies.
The policies list
The list toolbar gives you:
- Search by policy name
- Add Policy — create a new policy
- Discover Policies — auto-discover candidate policies from your AD (see below)
- Filter badges for Domain, Action, and Status
| Column | Description |
|---|---|
| Policy Name | The policy's name |
| Domain | The AD domain it applies to |
| Target | The users, groups, and/or OUs in scope |
| Action | Allow, MFA Required, Deny, or Notify |
| Auth Type | AD or RADIUS |
| Mode | Online, Monitor, or Offline |
| Status | Enabled, Disabled, or Suspended |
| Updated | Last modified time |
| Actions | Edit, Approve / Suspend, Delete |
Create or edit a policy
Add Policy (or Edit from the row menu) opens the policy editor.
1. Basic settings
| Field | Description |
|---|---|
| Policy Name | Required. |
| Auth Type | Active Directory (Kerberos · LDAP · SMB) or RADIUS (VPN / Wi-Fi). EntraID is reserved for a future release. |
| Policy Kind | Static — a fixed action — or Risk-based — the action depends on a risk score. |
| Active Directory | Required. Select one of your connected AD domains. |
2. Scope
Choose who the policy applies to using searchable multi-selects for Groups, Users, and OUs. Click Discover to pull the current groups, users, and OUs (with member counts) from the selected directory.
3. Action
- Static policies set a single Action:
Allow,MFA Required,Deny, orNotify. - Risk-based policies set a Risk Threshold (
0–100, default70) plus an Above Threshold Action and a Below Threshold Action.
4. Mode
| Mode | Behavior |
|---|---|
| Online | Active enforcement |
| Monitor | Logs decisions without enforcing — ideal during rollout |
| Offline | No enforcement |
5. MFA configuration
When the action is MFA Required, customize the push prompt template the user sees. The default is:
$username is signing in to $destination via $protocol from $source_ip
Available variables: $username, $destination, $protocol, $source_ip.
Click Save (or Update when editing) to apply the policy.
Discover Policies
The Discover Policies drawer inspects a selected AD and suggests candidate policies based on the groups and OUs it finds — a fast way to bootstrap coverage instead of building every policy by hand. Review the suggestions, adjust scope and action, and save the ones you want.
Create new policies in Monitor mode first. You'll see exactly which authentications would be challenged or blocked — and the MFA results — before you switch them to Online.