I'm trying to set up multifactor authentication for privileged user accounts. The more I read the more confused I get. Do I have to install the FAC agent on every workstation in our facility? Also, does every user have to authenticate to AD using MFA and the FAC agent, or can it be set up just for domain admin accounts? Thank you for your help.
you only need to install the FAC Windows Agent to workstations/servers where you want to enforce 2FA authentication.
The token authentication can be enabled/disabled per-domain bases. You can however exempt individual users/groups from 2FA. More details with screenshots can be found in the install/configuration guide.