Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
518
Views
2
Helpful
3
Replies

Domain Admin in Windows Active Directory

Go to solution
TonyM1
Level 1
Level 1

‎02-28-2024 01:14 PM

Hi,

I would like to clarify the license counts on Windows Logon and RDP. In the document, it mentioned all interactive users will be enrolled in Duo admin page. But in our environment, we wants to enable 2FA for Windows Domain Admin only. Do we need to count the license for the Domain users?

Regards,

Tony

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
DuoKristina
Cisco Employee
Cisco Employee
In response to TonyM1

‎02-29-2024 05:55 AM

@TonyM1 wrote:

My understanding is that ALL users should be included in the Duo admin panel regardless of whether they need to enable 2FA or not.

This really depends on your use case? We have policy options that let you require MFA for some users. There are lots of ways to combine enrollment status and policy settings to scope Duo 2FA (and therefore the number of licenses you need) to a target group instead of your whole user population.

With Duo for Windows Logon/RDP as an example, someone who only wants 2FA for a group of domain admins could...

1. Set the global new user policy to allow unenrolled users.

2. Enroll the domain admins in Duo (meaning the user exists in Duo with a 2FA device attached).

3. Create the Microsoft RDP application install the Duo for Windows Logon client on some Windows box.

4. Result: the domain admin users who have enrolled in Duo must complete 2FA when they log in to that Windows system. All other users who aren't enrolled in Duo log in to the system without MFA

 

Duo, not DUO.

View solution in original post

3 Replies 3

Go to solution
Pulkit Mittal
Spotlight
Spotlight

‎02-29-2024 02:30 AM

Hi Tony,

Duo consumes a license for every user count in admin panel. I suggest looking at adding alias to existing users if the username is not same. However, if its a separate account for Domain Admins not present in duo panel, it will cost an additional license. 

Regards,

Pulkit

Please mark this helpful if you are happy with the response.

Go to solution
TonyM1
Level 1
Level 1

‎02-29-2024 04:58 AM

Hi Pulkit,

Yes, the alias can help in this. My understanding is that ALL users should be included in the Duo admin panel regardless of whether they need to enable 2FA or not. Duo may not fit my requirements because I would have to purchase a large number of license counts for non-2FA users.

Regards,

Tony

0 Helpful

Go to solution
DuoKristina
Cisco Employee
Cisco Employee
In response to TonyM1

‎02-29-2024 05:55 AM

@TonyM1 wrote:

My understanding is that ALL users should be included in the Duo admin panel regardless of whether they need to enable 2FA or not.

This really depends on your use case? We have policy options that let you require MFA for some users. There are lots of ways to combine enrollment status and policy settings to scope Duo 2FA (and therefore the number of licenses you need) to a target group instead of your whole user population.

With Duo for Windows Logon/RDP as an example, someone who only wants 2FA for a group of domain admins could...

1. Set the global new user policy to allow unenrolled users.

2. Enroll the domain admins in Duo (meaning the user exists in Duo with a 2FA device attached).

3. Create the Microsoft RDP application install the Duo for Windows Logon client on some Windows box.

4. Result: the domain admin users who have enrolled in Duo must complete 2FA when they log in to that Windows system. All other users who aren't enrolled in Duo log in to the system without MFA

 

Duo, not DUO.
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents