cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
520
Views
2
Helpful
3
Replies

Domain Admin in Windows Active Directory

TonyM1
Level 1
Level 1

Hi,

I would like to clarify the license counts on Windows Logon and RDP. In the document, it mentioned all interactive users will be enrolled in Duo admin page. But in our environment, we wants to enable 2FA for Windows Domain Admin only. Do we need to count the license for the Domain users?

Regards,

Tony

1 Accepted Solution

Accepted Solutions


@TonyM1 wrote:

My understanding is that ALL users should be included in the Duo admin panel regardless of whether they need to enable 2FA or not.


This really depends on your use case? We have policy options that let you require MFA for some users. There are lots of ways to combine enrollment status and policy settings to scope Duo 2FA (and therefore the number of licenses you need) to a target group instead of your whole user population.

With Duo for Windows Logon/RDP as an example, someone who only wants 2FA for a group of domain admins could...

1. Set the global new user policy to allow unenrolled users.

2. Enroll the domain admins in Duo (meaning the user exists in Duo with a 2FA device attached).

3. Create the Microsoft RDP application install the Duo for Windows Logon client on some Windows box.

4. Result: the domain admin users who have enrolled in Duo must complete 2FA when they log in to that Windows system. All other users who aren't enrolled in Duo log in to the system without MFA

 

Duo, not DUO.

View solution in original post

3 Replies 3

Pulkit Mittal
Spotlight
Spotlight

Hi Tony,

Duo consumes a license for every user count in admin panel. I suggest looking at adding alias to existing users if the username is not same. However, if its a separate account for Domain Admins not present in duo panel, it will cost an additional license. 

Regards,

Pulkit

Please mark this helpful if you are happy with the response.

TonyM1
Level 1
Level 1

Hi Pulkit,

Yes, the alias can help in this. My understanding is that ALL users should be included in the Duo admin panel regardless of whether they need to enable 2FA or not. Duo may not fit my requirements because I would have to purchase a large number of license counts for non-2FA users.

Regards,

Tony


@TonyM1 wrote:

My understanding is that ALL users should be included in the Duo admin panel regardless of whether they need to enable 2FA or not.


This really depends on your use case? We have policy options that let you require MFA for some users. There are lots of ways to combine enrollment status and policy settings to scope Duo 2FA (and therefore the number of licenses you need) to a target group instead of your whole user population.

With Duo for Windows Logon/RDP as an example, someone who only wants 2FA for a group of domain admins could...

1. Set the global new user policy to allow unenrolled users.

2. Enroll the domain admins in Duo (meaning the user exists in Duo with a 2FA device attached).

3. Create the Microsoft RDP application install the Duo for Windows Logon client on some Windows box.

4. Result: the domain admin users who have enrolled in Duo must complete 2FA when they log in to that Windows system. All other users who aren't enrolled in Duo log in to the system without MFA

 

Duo, not DUO.
Quick Links