11-08-2021 12:02 PM
Hi,
So in testing Duo for my test tenant, I imported accounts via Azure Directory Sync. That went great.
I created a Duo protected application for my M365 cloud apps. Worked great.
So I noticed that I now have duplicate names. I see in some other posts that “username normalization” will cause this but I am not really sure which accounts I should delete.
The account that was spontaneously created works and the dir sync account shows as never authenticated. The “never authenticated” has all the relevant account info like email, first\last name etc.
So I need to enforce users using their sync’d account and not have Duo create a new account.
Do I simply turn off username normalization, delete the newly created account and have the sync’d account perform a new enrollment?
I wish there was a “merge” feature and an admin could choose which account was to be deleted etc.
Thanks!
Michael
Solved! Go to Solution.
11-08-2021 01:23 PM
Hi @mikepiet, yes, I’d recommend you turn off username normalization. Username aliases can be used to add multiple variations of usernames to a single user in addition. Because usernames in Duo need to be unique, you will need to delete the duplicate users before you can re-add the alternate usernames as aliases. Duo does not sync an entire directory, but rather a security group and its members, so you should be able to simply remove any users from that group in Active Directory and sync the group to Duo to mark those duplicate users for deletion.
When you sync the users from Azure Active Directory, ensure you sync samaccountname
, userprinicipalname
, msDS-PrincipalName
and mail
attributes. Any one of these can be the primary username and the others aliases, as long as the ones required are defined. In this way, with Username Normalization set to disabled (none), the username should match the correct user under most circumstances.
I hope that helps!
11-08-2021 01:23 PM
Hi @mikepiet, yes, I’d recommend you turn off username normalization. Username aliases can be used to add multiple variations of usernames to a single user in addition. Because usernames in Duo need to be unique, you will need to delete the duplicate users before you can re-add the alternate usernames as aliases. Duo does not sync an entire directory, but rather a security group and its members, so you should be able to simply remove any users from that group in Active Directory and sync the group to Duo to mark those duplicate users for deletion.
When you sync the users from Azure Active Directory, ensure you sync samaccountname
, userprinicipalname
, msDS-PrincipalName
and mail
attributes. Any one of these can be the primary username and the others aliases, as long as the ones required are defined. In this way, with Username Normalization set to disabled (none), the username should match the correct user under most circumstances.
I hope that helps!
11-19-2021 12:36 PM
Hi Amy,
I wanted to say thank you for the reply! It was tremendously helpful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide