The WatchGuard Cloud Directory is an authentication domain where you can add users and groups that are hosted in WatchGuard Cloud. Services in WatchGuard Cloud, such as AuthPoint, can use the WatchGuard Cloud-hosted users and groups that you add to the WatchGuard Cloud Directory. This enables you to add shared users and groups in one place, the WatchGuard Cloud Directory, rather than to each service individually.
These services support users and groups from the WatchGuard Cloud Directory:
- AuthPoint
- FireCloud
You can add, edit, and delete users and groups from the WatchGuard Cloud Directory. For detailed steps to add users and groups, go to Add Local Users to an Authentication Domain and Add Local Groups to an Authentication Domain.
When you add WatchGuard Cloud-hosted users, you choose whether the user is an MFA user or a non-MFA user.
MFA Users
MFA users are user accounts that will use AuthPoint multi-factor authentication to authenticate. This is not related to the AuthPoint Multi-Factor Authentication license type.
Non-MFA Users
Non-MFA users are user accounts for FireCloud and other non-AuthPoint services. This option is also for AuthPoint users that will only ever authenticate with a password, such as a service account user.
Non-MFA users do not consume an AuthPoint user license and, if you use AuthPoint, non-MFA users cannot authenticate to AuthPoint resources that require MFA. They can only authenticate to protected resources if the non-MFA user account has a password only authentication policy for that resource.
Users and groups that you add to the WatchGuard Cloud Directory are automatically added to AuthPoint. This happens because the WatchGuard Cloud Directory uses AuthPoint to validate passwords for all users (MFA users and non-MFA users).
After you add a user, you can edit the user account if you need to change their account type. When you change a user account from MFA to non-MFA, AuthPoint deletes the tokens and password vault (if applicable) that belong to the user. This action cannot be undone.
You must complete user management actions that are specific to a service from the management UI for that service. For example, to block a WatchGuard Cloud-hosted AuthPoint user account, you go to the Users page in the AuthPoint management UI.