Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

[HOWTO] Guide to Enabling MFA for PowerShell Remoting

Authentication Service ,   Privilege Elevation Service ,  

8 July,19 at 02:06 PM

In this article we will be discussing how to create a role assignment for enabling PowerShell remoting and enforcing MFA on use of the PowerShell application. This steps would be useful in cases where you want to add an extra layer of security if users need to be running elevated PowerShell commands on remote machines. Centrify has incorporated the access to PowerShell Remoting starting with our 18.1 Release (Windows agent 3.5.1).

About PowerShell Remoting:

Using the WS-Management protocol, Windows PowerShell remoting lets you run any Windows PowerShell command on one or many remote computers. In addition to allowing establish persistent connections, Powershell remoting will enable you to start 1:1 interactive sessions, and run scripts on multiple computers. PowerShell remoting will require Administrator privileges in the target systems.


1) PowerShell Remoting requires PowerShell version 2.0,
2) .NET Framework 2.0 and Windows Remote Management 2.0
3) Windows 7 or higher Windows Server 2008 R2 or higher
4) MFA for Windows has been enabled on the source machine as per the below instructions:

Roles and Rights

1) We will begin by creating two Windows rights. One is an Applications right and one is a Network Access right.

2) Open the Centrify Access Manager console and expand the zone where the source and target Windows machines reside.

3) Expand:  Authorization > Windows Right Definitions > Applications:

User-added image

4) Right-click on Applications and choose "New Windows Application"

4a) General tab - Give it a name that can easily be remembered for why it exists.

4b) Match Criteria tab - Click the 'Edit' button. But before the details get entered here, just open a PowerShell window. Then go back to the Definition Settings window and choose 'Import Process' and select the PowerShell process that is already running. It will fill in the details for you. It should look something like below:

User-added image

4c) Run As tab - Activate the radio button for 'Self with added group privileges' and choose 'Add Built-in Groups' and choose the Administrators group. Make sure to check the mark for 'Require multi-factor authentication.' So that it looks like below:

User-added image

4d) Once the tabs look correct and you are ready to proceed, click Apply then OK.

5) For the Network Access right, right-click on Network Access and choose 'New Network Access' as shown below:

User-added image

5a) General tab - Choose a name and description.

5b) Access tab - Activate the 'Self with added group privileges' button and choose the Administrators group using the 'Add Built-in Groups' button. MFA is not required here since it has already been enabled in the previous section. Screenshot of what it should look like:

User-added image

5c) Choose Apply then OK.

6) The last steps in this process are to create a role definition and add the previous two rights to this role.

6a) Right-click on Role Definitions, choose 'Add Role'

User-added image

6b) General tab - Add a name and description.
6c) System Rights tab - Place a checkmark next to 'Remote login is allowed' and 'PowerShell remote access is allowed' (as shown below).

User-added image

6d) Authentication tab - Can remain unchanged.
6e) Audit tab - Can remain unchanged unless you would like to require auditing of this role activity. In that case choose 'Audit Required.'
6f) Custom Attributes tab - Can remain unchanged.

7) Add the Application right and Network Access right to the PowerShell role definition.

7a) Right-click the PowerShell role definition and choose 'Add Right'

User-added image

7b) Once the pop-up window opens, choose your Application and Network rights that were created in steps 4 and 5 above. It should look something like this:

User-added image

8) Assign this role to your users at the zone level.

PowerShell Settings

9) The next step is to enable PowerShell Remoting on the target machine. On that machine, open Windows PowerShell (as admin) and enter the following command:

PS C:Windows\system32> Enable-PSRemoting -Force

User-added image

10) Log into the source Windows machine and run the following command to make the new role take effect:

C:\> dzflush

11) Hold the shift key and right-click the PowerShell Icon from the taskbar or start menu then choose 'Run with Privilege..'

User-added image

12) Choose the PowerShell role definition that had been created earlier:

User-added image

13) You should now be getting an MFA prompt, according to what has been set in the Authentication Policy in your Cloud Portal:

User-added image

14) Now, enter the following command to start a remote PowerShell session:

PS C:\Users> Enter-PSsession

User-added image

15) Finally, enter the hostname of the machine you are trying to connect to (Using the short or full DNS name should work)

User-added image

16) You will see that you are connected as the hostname will be shown in square brackets. In this example, we connected to the hostname of WIN2012-1

*Note - the user must have login privileges to the destination machine to be able to login remotely through PowerShell. This can be done either using the local security policy (secpol.msc) or through Group Policy.*

User-added image