So, as we have customers becoming more interested in CoPilot AI protections, Most of our deployments are based on logon user and the users are all domain users. CoPilot AI Protections require the Entra integration be set up and the users be signed into their DefensX via IAM user. We do LogonUser deployments because it is the least invasive for the customers and doesn't just block all access until auth can be had, that being said. There does not seem to be a way in the platform that you can based on the user have it require specific authentication methods, we can have different deployments or on individual devices override auth options, but we cannot have DefensX based on the AD user signing into a machine require them to sign in using IAM so it follows them to any machine they use in the event they use other devices Sounds silly perhaps but it's not worth it to the customer to have the disruption of requiring 200+ devices to have to authenticate via IAM instead of logon user. Allowing the entire organization to auth to IAM is one thing but just because it's an option doesn't mean they'll do it, thinking with a zero trust mindset, don't ask people not to do it, take away their ability to do it and force them to be required to do IAM auth so you can ensure things are being done the way you want/need.