AuthLite Interactive Documentation
Quick Start: Install and protect Domain Admins AuthLite Features Supported Tokens Installation and Upgrading Configuration Token Management How to Log In Troubleshooting

You can block all network access to a server by using Group Policy, but if you want to more narrowly tailor permission, you can use the filesystem's Access Control Lists.

The first method (see Fig. 1) is to remove permissions from everyone except the AuthLite 2-Factor Session Tag group, and any other users or groups you explicitly want to allow without 2-factor authentication.  You need to be careful that the AuthLite users are not in any other groups that have access too. It only takes one Allow match for the user to get in.  For example if you had a permission that lets Domain Users have access, then they'll be able to get in regardless of their membership in AuthLite or whether they used 1F/2F authentication.

The second method (see Fig. 2) is to leave all the existing permissions in place, but add a Deny permission for the AuthLite 1-Factor Session Tag group.  This is neat because it's minimally disruptive: all the same users will be able to access the share as before.  But now anyone who happens to be an AuthLite User must also have a 2-factor session, otherwise the Deny triggers and blocks them.  Unlike the above configuration, even if the AuthLite users are in the Allow permission, they'll get blocked here if they don't have a 2-factor session.