Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
602
Views
0
Helpful
3
Replies

State of user devices after unsynced/removed from directory

RookieNet55
Level 1
Level 1

‎10-10-2023 09:38 AM

We sync users with our Microsoft AD to manage users in Duo. We have a few service accounts for which multiple user's phone or device are setup for that account. What happens to these devices when a user is removed via directory sync and this users device is associated with a service/common account. Will these user's devices still get Duo MFA push for those service accounts if they have the app installed on them but they are not part of our Duo MFA instance anymore. 

Also would like some suggestions on how you all are dealign with these scenarios, would there be a better automated way to do this?

Labels:
0 Helpful
3 Replies 3

DuoKristina
Cisco Employee
Cisco Employee

‎10-10-2023 11:24 AM

What happens if a phone number is deleted from a directory? 

If a phone number is deleted from a directory user and is not attached to any other Duo users when it is removed, the phone is deleted from Duo at the next sync. If the phone is attached to more than one user in Duo then the phone will still exist and remain attached to the users from whom the phone was not removed. You can manually delete that phone from the Admin Panel.

If the phone is activated for Duo Push and remains attached to at least one user the phone remains in Duo and that remaining user's login attempts can continue using Duo Push with that phone.

Duo, not DUO.
0 Helpful

RookieNet55
Level 1
Level 1
In response to DuoKristina

‎10-10-2023 11:28 AM

Thanks @DuoKristina , is there any way we can automate this where when user is removed via directory sync, it removes the associated devices from other accounts as well if they have any ?

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to RookieNet55

‎10-10-2023 02:50 PM

Not easily... like, there isn't a checkbox or toggle that will enable this in the sync. We defaulted to retaining the device if attached to another user so the remaining user does not have to re-enroll an auth device in Duo.

A possibility is to use our Admin API to do it programmatically, but even that isn't straight-forward... off the top of my head:

  1. retrieve users and look for those with status = pending deletion and a value for last_directory_sync (because the sync marked the user for deletion)
  2. parse out the phones attached to that user by phone_id in the retrieve users response
  3. delete the phones that are attached to that pending deletion user by phone_id, which will remove the targeted phones from any user accounts not marked for deletion

If you contact Duo Support you can submit a feature request for making this a option in directory sync config.

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents