1. Knowledge Base
  2. Windows Logon Manager (WLM)

What CredProv Registry settings are needed to support Windows Logins without SP accounts/tokens?

We have seen instances whereby a customer may be rolling out MFA to their users but not all users have their tokens issued to them yet and/or their accounts aren't in the SurePassID directory in the MFA server (cloud or on premise). There are also other cases wherein a certain class of user, ie: administrators, needs MFA while standard users do not.

In the cases where you want to allow single factor authentication for users not yet in the SP directory or without tokens, or cases where not everyone is required to use MFA and their names won't be in the SP directory, you can change the registry settings related to the SP WLM in the "CredProv" section as follows:
SFA_FALLBACK_OPTION_NONE = 0  (does not allow SFA fallback at all)
SFA_FALLBACK_OPTION_NO_SP_USER = 1 (allows fallback to SFA if the user's login name doesn't match a username in the SP directory)
SFA_FALLBACK_OPTION_N_SP_USER_2FA_DEVICES = 2 (allows fallback to SFA if the user's login name is found in the SP directory but no 2FA methods have been defined for the user)

Please note that at present, these options only apply to use of the SuerPassID Windows Login Manager.