Re: New User Enrollment with bypass codes - Page 2

doGlooPA · ‎02-03-2026

In our environment we use Active Directory to import users into Duo. We use the login MFA application to provide MFA to our Windows devices. When new employees start, our plan was to create a one time bypass code for their account so they can get into Windows and get to their email where their enrollment codes should be so they can enroll their phone in Duo.
We just started this process but pretty sure it worked a few times previously. Currently though, it is not working. When a new user enters their password they are given a prompt in Windows to "Enroll an authentication device to proceed." They are not given an option to use the bypass code to bypass MFA. I am guessing that a bypass code is not considered a device so with no device setup, it stops there. I swear this worked a few times in testing but maybe there were other circumstances involved with the accounts.
Any thoughts or ideas on how to get new users enrolled in our environment? My only other thought is to try to get a phone added to their accounts before hand but that is difficult with new hires.
Thanks!

doGlooPA · ‎02-04-2026

Thanks Kristina. I will reach out and upvote that. It seems the bypass code method would work best if allowed. Allowing new users to enroll using their devices means we need to allow mobile browsers. We specifically blocked those to prevent people from using their personal phones to connect to our Duo Central site and launch SAML apps on their phones. My guess is we will now need to create a new policy surrounding SAML apps for extra security.

DuoKristina · ‎02-04-2026

> Allowing new users to enroll using their devices means we need to allow mobile browsers

You don't have to do this to get what you want I think.

Have phone # in AD.
Import new user with phone from sync. Don't send an enrollment email.
Create bypass code for new user and communicate it to them somehow (with their AD creds?). You give them maybe 24 hours to reuse the code. You tell the user to use the bypass code to log in if you have not allowed SMS or phone call authentication methods.
User logs in to Windows that day with AD creds and bypass code.
Also that day user launches browser on that Windows system, which I have assumed is trusted, to log into Duo Central and get to self-service management. They use either the bypass code (or use SMS/phone if you allow it) to get into device management.
User activates their phone for push or enrolls whatever other methods you allow (passkeys?).
The bypass code expires but user doesn't need it anymore because they have one or more usable auth methods.

There are multiple possible permutations of this that wouldn't require you letting them use the phones themselves to access Duo Central or any SAML apps.

Duo, not DUO.

doGlooPA · ‎02-04-2026

We did just create a new application level policy that blocks mobile devices for all the apps we don't want them to access in Duo Central with their phones. It was easier than I thought and seems to work well.

doGlooPA · ‎02-04-2026

That is what we have tried but we have the Duo Logon MFA app already installed on all PC's so you need to have MFA to get passed that. Or a bypass code, but for new users, a bypass code with no device enrolled, is not allowed. So we are back to changing bypass codes to allow that. Which I did upvote with support. For now though, we will have to give new employees an enrollment code and link to the enrollment page and they will need to enroll via their cell phone before being able to logon to any PC's. Not convenient but it works.