WatchGuard Support Center

Knowledge Base - Article

 Active Directory users can bypass MFA when the UPN is changed

Tracking ID: AAAS-12090
Status: Open
Resolved In:

Active Directory users with a unique user principal name (UPN) that you changed to match their email address can use the old UPN to log in without MFA. Users must still type their user name and password.

This issue only occurs when the user logs in with the old UPN. When the user logs in with the updated UPN, MFA is required.

This issue is not related to the agent for Windows and occurs whether or not the agent for Windows is installed. Users affected by this issue can successfully log in to their computers.

No workaround exists at this time.