topic Re: State of user devices after unsynced/removed from directory in Managing Users

State of user devices after unsynced/removed from directory

RookieNet55 — Tue, 10 Oct 2023 16:38:38 GMT

We sync users with our Microsoft AD to manage users in Duo. We have a few service accounts for which multiple user's phone or device are setup for that account. What happens to these devices when a user is removed via directory sync and this users device is associated with a service/common account. Will these user's devices still get Duo MFA push for those service accounts if they have the app installed on them but they are not part of our Duo MFA instance anymore.

Also would like some suggestions on how you all are dealign with these scenarios, would there be a better automated way to do this?

Re: State of user devices after unsynced/removed from directory

DuoKristina — Tue, 10 Oct 2023 18:24:32 GMT

What happens if a phone number is deleted from a directory?

If a phone number is deleted from a directory user and is not attached to any other Duo users when it is removed, the phone is deleted from Duo at the next sync. If the phone is attached to more than one user in Duo then the phone will still exist and remain attached to the users from whom the phone was not removed. You can manually delete that phone from the Admin Panel.

If the phone is activated for Duo Push and remains attached to at least one user the phone remains in Duo and that remaining user's login attempts can continue using Duo Push with that phone.

Re: State of user devices after unsynced/removed from directory

RookieNet55 — Tue, 10 Oct 2023 18:28:47 GMT

Thanks @DuoKristina , is there any way we can automate this where when user is removed via directory sync, it removes the associated devices from other accounts as well if they have any ?

Re: State of user devices after unsynced/removed from directory

DuoKristina — Tue, 10 Oct 2023 21:50:51 GMT

Not easily... like, there isn't a checkbox or toggle that will enable this in the sync. We defaulted to retaining the device if attached to another user so the remaining user does not have to re-enroll an auth device in Duo.

A possibility is to use our Admin API to do it programmatically, but even that isn't straight-forward... off the top of my head:

retrieve users and look for those with status = pending deletion and a value for last_directory_sync (because the sync marked the user for deletion)
parse out the phones attached to that user by phone_id in the retrieve users response
delete the phones that are attached to that pending deletion user by phone_id, which will remove the targeted phones from any user accounts not marked for deletion

If you contact Duo Support you can submit a feature request for making this a option in directory sync config.