2FA / DUO / AD Auth / Use security group instead of tagging Description field

Any way CW Control can use security group to enable 2FA/DUO?  With the current Control implementation, all host users are required to have tag [duo:username] embedded in their AD Description field which does not work well in our environment.  Alternatively, I don't mind enforcing 2FA for ALL host users by default, without messing with the AD description attribute.