If the user has a device for authentication the user is fully ENROLLED, whether it is a landline, feature phone, smartphone, etc.

ACTIVATION of the Duo Mobile app is optional, but encouraged for smartphone users so they can use Duo Push or app passcodes instead of phone call/SMS.

Yes, in your example scenario the user is enrolled. You cannot send an enrollment to the user who is already enrolled. You can send them an activation message for the mobile app.

If you take the following actions:

1. Delete the currently configured directory sync.
2. Delete all formerly synced users (a two-step process; move to trash then delete from trash).
3. Create a new directory sync, and check the box to send enrollment emails, and do not check the box to import phone numbers.
4. Run the sync.

Then yes, the previously enrolled users would no longer exist, so when the sync process creates them it will email out an enrollment link (and during enrollment one step is activating the Duo Mobile app).

As before, once the users enroll you cannot send another enrollment link.

What are you seeking to accomplish? There may be a better way to do it if we understood your reason for wanting to have enrolled users enroll again.

Oh, ok. So, yes, you should probably run through the cleanup steps in my previous comment to completely purge the sync and the erroneously imported users, and then create a new sync, only syncing over a group of pilot users.

Meanwhile, change the new user policy to the “Allow access without 2FA” setting globally or in policies assigned to your pilot applications.

The net result of this is that members of the pilot group will use 2FA to access the pilot applications, and all other users can access the applications without 2FA.

Then, as you expand your Duo deployment, just add more groups to your AD sync configuration (or add more users to the AD pilot group).

Finally, flip the switch to require 2FA for everyone by changing the new user policy back to the default “require enrollment” setting.