Question:How can we set up Centrify to prevent Single Sign On and require MFA to log into the portal and not break MFA for linux and windows systems?
Answer:We will need to create two policies in the Admin Portal to handle this.
The computers/servers doing MFA must have IWA enabled. These systems need to SSO into the tenant to retrieve the mechanisms for the user. This will prevent you from being able to turn off the IWA service on the connector and unchecking the IWA box on the login policy.
Steps to achieve this:
1) Create a policy with IWA turned off for the Centrify Portal and have it applied to all users and devices. For example, we named the policy "Users MFA on Portal and Systems", or if you already have a policy select whichever policy is used to set the MFA profile when logging into the portal.
Navigate to Login Policies -> Centrify Portal and uncheck the following 2 check boxes:

2) Create another policy for example, IWA Servers for MFA. This policy will be applied to only the role containing the systems for MFA and not to all users and devices. This policy will have the IWA options turned on.

Lastly ensure this Policy is listed above the previous policy.