Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
504
Views
5
Helpful
6
Replies

Enrolling Directory Sync users

Go to solution
theITgui
Level 1
Level 1

‎09-12-2024 09:53 AM

Good Afternoon,

I am in the process of rolling out MFA for all in our organization. We've been using it admin only for over a year. I have Directory sync all set up but I'm running into some issues with the process.

If I sync users and set them to "Active" when imported, the user cannot log in because they haven't enrolled.

If I sync users and set the user to "Bypass", they can log into their workstation but can't access the enrollment e-mail because they're set to "Bypass".

What is the trick here? Set them as "Active" when already logged in so they can get to the enrollment e-mail? This is what I did for the first user I added. Is there no way for the unenrolled user to be prompted for enrollment when logging in?

Labels:
3 Accepted Solutions

Accepted Solutions

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎09-12-2024 11:32 AM - edited ‎09-12-2024 11:45 AM

No idea which application you are protecting with Duo, but since you say they can't enroll I am going to guess Duo for Windows Logon or another similar application which doesn't show Duo enrollment in a browser window.

Apply a policy to the Duo application at the application level with the New User Policy set to to "Allow access without 2FA" and the Authentication Policy set to "Bypass 2FA". That way the users wouldn't need to complete any Duo MFA at login, even though they're Active, but they WOULD be able to access online enrollment following the link in the email they receive.

Once everyone is enrolled, remove the application-level policy and they they will have to 2FA at the app.

Duo, not DUO.

View solution in original post

Go to solution
DuoKristina
Cisco Employee
Cisco Employee
In response to theITgui

‎09-13-2024 11:25 AM

You can combine an application policy set on your RDP app that bypasses 2FA (to let non-admins that still need to enroll log in) with a group policy that requires 2FA set on your RDP app targeting a group of your existing admins who are already enrolled in Duo, so that your privileged users still get login protection.

If you are using AD sync and those admins are synced from AD you'll need to sync over an AD group containing those admins into Duo to use as the group policy target, since you can't manually add synced users to a group from the Duo side.

Duo, not DUO.

View solution in original post

Go to solution
DuoKristina
Cisco Employee
Cisco Employee
In response to theITgui

‎09-13-2024 11:41 AM - edited ‎09-13-2024 11:41 AM

Yes, on the application in Duo, an application policy that bypasses MFA that would be effective for your users who need to enroll, and an application group policy that requires MFA that would be effective for members of a specified group, i.e.

DuoKristina_0-1726252804535.png

 

Duo, not DUO.

View solution in original post

6 Replies 6

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎09-12-2024 11:32 AM - edited ‎09-12-2024 11:45 AM

No idea which application you are protecting with Duo, but since you say they can't enroll I am going to guess Duo for Windows Logon or another similar application which doesn't show Duo enrollment in a browser window.

Apply a policy to the Duo application at the application level with the New User Policy set to to "Allow access without 2FA" and the Authentication Policy set to "Bypass 2FA". That way the users wouldn't need to complete any Duo MFA at login, even though they're Active, but they WOULD be able to access online enrollment following the link in the email they receive.

Once everyone is enrolled, remove the application-level policy and they they will have to 2FA at the app.

Duo, not DUO.

Go to solution
theITgui
Level 1
Level 1
In response to DuoKristina

‎09-12-2024 11:50 AM - edited ‎09-13-2024 08:43 AM

Kristina,

Thank you for the reply. You're correct, it is Windows Logon. Everything you say sounds good. We can certainly disable authentication for a short time while enrolling users.

Scott

0 Helpful

Go to solution
DuoKristina
Cisco Employee
Cisco Employee
In response to theITgui

‎09-13-2024 11:25 AM

You can combine an application policy set on your RDP app that bypasses 2FA (to let non-admins that still need to enroll log in) with a group policy that requires 2FA set on your RDP app targeting a group of your existing admins who are already enrolled in Duo, so that your privileged users still get login protection.

If you are using AD sync and those admins are synced from AD you'll need to sync over an AD group containing those admins into Duo to use as the group policy target, since you can't manually add synced users to a group from the Duo side.

Duo, not DUO.

Go to solution
theITgui
Level 1
Level 1
In response to DuoKristina

‎09-13-2024 11:33 AM

May I ask which GPO I would use to enforce 2FA on admins? I can see the idea of putting admins in a separate OU so they sync with Duo in their own group but I'm unaware of a GPO to force 2FA. Do you mean an additional Duo policy?

0 Helpful

Go to solution
DuoKristina
Cisco Employee
Cisco Employee
In response to theITgui

‎09-13-2024 11:41 AM - edited ‎09-13-2024 11:41 AM

Yes, on the application in Duo, an application policy that bypasses MFA that would be effective for your users who need to enroll, and an application group policy that requires MFA that would be effective for members of a specified group, i.e.

DuoKristina_0-1726252804535.png

 

Duo, not DUO.

Go to solution
theITgui
Level 1
Level 1
In response to DuoKristina

‎09-13-2024 12:06 PM

Kristina,

You're awesome, thank you! I have created two Duo (and AD) Groups now: Duo Users and Duo Pilot Users. I realized that regular Duo users already enrolled and Admins already enrolled should be able to use 2FA while I'm enrolling new people. I have the more permissive policy set to "Duo Pilot Users" and the enforcement still on for "Duo Users".

I tested with an unenrolled user with the global policy still set to enforce 2FA. No need to edit global policy now, just move them into the correct AD group once enrolled.

Scott

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents