This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
With all MFA vendors, I prefer to have them do a single role which is perform the MFA process and simply give me a accept or reject back indicating the MFA process passed or failed. Then I have ISE do all the necessary AD look-ups in the authorization phase to provide granular control. To that end, I always setup my MFA vendors as RADIUS Token servers and use that definition in then authentication section of my policy sets requiring MFA. After the users passes MFA their username can be checked against AD to provide the granular control you want.
What if the customer is replacing AD with Okta Universal Directory or never implemented AD in the first place? In that case, is ISE currently unable to do any kind of fine grained user control using groups?
All of my installs the customers have used AD as their source of truth. I haven't worked with OKTA universal directory but I think you would have three options: