DUO policy vs User Bypass

alceryes · ‎08-13-2023

I have the 'Deny Access to Unenrolled Users' policy active for all users/groups.

I have one user that needs ad-hoc special access without authenticating through DUO (3rd party contractor - not able to install/use an app). I have created a user account for him and added his phone number. He now appears as an inactive user NOT not enrolled.

Is this enough for him to be considered enrolled and for the 'Bypass' option to work under the user - status, so he won't need to authenticate with DUO when logging in?

DuoKristina · ‎08-15-2023

That should be sufficient. You don't mention which Duo application you're using. Some of them treat partially-enrolled users in a slightly different but typically if a user exists in Duo for you to be able to set bypass status on that user it's enough to bypass with that new user policy setting configured.

You could also explore alternative authentication methods to have the contractor actually use MFA when logging in that don't rely on the Duo Mobile app, like a hardware token or SMS/Phone call, and restrict use of those methods to ONLY that one contractor by using group policy (apply the policy to a Duo group containing just that contractor for that Duo application).

Duo, not DUO.