Hi @Ben Van Doorsselaere
Since the MFA is enabled at group level the changes gets applied to all users within the group.
In this situation we may have separate the users who don't need MFA and disable MFA under the group level to achieve the requirement.
We created an AD group for MFA users (the reverse of the non-MFA group) and this indeed solves the issue.
I added the AD group for all MFA users and configured in Commvault to force MFA to those users.
So the users that have access via the commvault user group and are in the MFA group will need MFA.
The users that are in the commvault user group but not in the MFA ad group (because they are in the non-MFA group) don’t get an MFA login.
I assume that commvault local users won’t get an MFA either. I don’t use those, but for security purposes I might still search for a way to force it for future local users.
@Ben Van Doorsselaere
Yes the local users cannot use MFA since they don't reach AD for authentication and the request gets solved locally at commserve DB