Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1020
Views
0
Helpful
4
Replies

Entra Synced Users can't sign into Windows

zach-herberger
Level 1
Level 1

‎07-14-2025 10:13 AM

Here is a run down of what has been done and the Issue i keep running into:

  1. Fresh M365 tenant and DUO tenant created
  2. Created users in M365 then setup Entra Directory sync and run that to pull into DUO
  3. Create a protect an application for RDP with simple defaults
  4. Install DUO for windows logon on an Entra Join PC
  5. Try to sign into PC with username@domain.com but DUO says the account doesn't exist
  6. Manually add alias to user account in DUO "FirstnameLastname" which has no spaces
  7. Sign in again, DUO logon works.

I have attempted to look up how to sync users over with this alias setup or get DUO to identify users differently so this is not an issue with no luck. I assume I am missing a setting or steps somewhere so i would appreciate any help, thank you.

0 Helpful
4 Replies 4

wajidhassan
Level 4
Level 4

‎07-14-2025 11:35 AM

This issue is happening because DUO for Windows Logon is trying to match the username format used at Windows sign-in with the format stored in DUO. When users sign in with username@domain.com, DUO is not recognizing that format by default unless the alias in DUO exactly matches it.

By default, Entra ID (formerly Azure AD) synced users are created in DUO using their sAMAccountName or UPN, depending on how the directory sync is configured. If DUO is expecting FirstnameLastname but Windows uses UPN to log in (username@domain.com), then there's a mismatch.

To fix this without manually editing every user:

  1. In the DUO Admin Panel, go to Directory Sync settings.

  2. Check what attribute DUO is using for the username – it should ideally be UPN if you want logins to work with username@domain.com.

  3. Change the username attribute mapping to userPrincipalName instead of sAMAccountName in the sync configuration.

  4. Re-sync your directory. This will align DUO’s expected usernames with how users log in to Windows.

This way, you won’t need to manually add aliases for every user, and logins via username@domain.com will be recognized properly by DUO during RDP logins.

0 Helpful

zach-herberger
Level 1
Level 1
In response to wajidhassan

‎07-14-2025 01:29 PM

I just went into DUO under the new tenant and went to Users > External Directories > Microsoft Entra ID > i see that the username attribute is set to userPrincipalName like you said to set it to (unchanged). If i double check a user that got synced, it is set to the microsoft email/username which is usually fLastname@domain.com. I then go to sign into Windows with fLastname@domain.com and DUO errors with:
"Access is not allowed because you are not enrolled in the DUO service. Please contact your organization IT"

Like before, if i add FirstnameLastname as an alias, it then all works. 

Thank you very much for the help, do you have any other suggestions? 

0 Helpful

wajidhassan
Level 4
Level 4

‎07-16-2025 09:06 AM

It sounds like the issue you're experiencing is related to how DUO is interpreting or syncing the user accounts, and specifically how the usernames are being matched between Microsoft Entra ID (formerly Azure AD) and DUO. Based on your description, DUO is trying to match the userPrincipalName (typically the full email address like fLastname@domain.com), but it's not finding the right account unless an alias like FirstnameLastname is added.

Here are a few additional suggestions to help resolve the issue:

1. Verify User Principal Name (UPN) Consistency
The issue likely arises from DUO not finding the user in the system when you sign in with the fLastname@domain.com email address. This is expected if DUO is using a different attribute or format.

Check if UPN format is consistent:

Ensure that the userPrincipalName (UPN) in Entra ID matches the format expected in DUO.

Verify that the username attribute in DUO is correctly set to userPrincipalName in Microsoft Entra ID.

Consider a mismatch in domain formats:

If the fLastname@domain.com is different from the UPN used in your organization’s directory or DUO, you may need to ensure consistency in domain settings. Sometimes, Entra ID might sync with a PrimarySMTP or other email identifiers, and DUO needs to know exactly what format the usernames are in.

2. Check DUO Enrollment Policy
Enroll Users Manually: If users are not enrolling themselves into DUO, you can check the DUO enrollment policy to ensure that users are being prompted to enroll after their first sign-in.

In DUO, go to Administrators > Enrollment and verify if automatic enrollment is enabled.

You can also manually trigger enrollment invitations from DUO Admin > Users.

Check the DUO Sync Logs:
The DUO Admin console has detailed logs of sync activity. Check if there were any errors or warnings during the user sync process that might indicate why the users' credentials aren't syncing properly.

3. Attribute Mappings and Sync Settings
Ensure that the attribute mapping between Microsoft Entra ID and DUO is correct:

Go to the DUO Admin Console > Users and check if the userPrincipalName from Entra ID is correctly syncing.

If you added the alias to make it work (FirstnameLastname), this suggests that DUO might be associating with the mail attribute rather than the userPrincipalName. Double-check these mappings.

4. DUO Device Enrollment
Check if the user's device is enrolled and trusted in DUO, as DUO sometimes checks for trusted devices during authentication:

Go to DUO Admin Console > Devices and check if the users are listed and marked as enrolled.

5. Testing with Specific User:
To isolate the issue further, you could test the login and enrollment process with a specific test user:

Try to sign in with a test user using the fLastname@domain.com format.

Check DUO’s logs for that test user during the authentication attempt.

Ensure that this user is not in a pending state in the DUO Admin Console (this can sometimes happen if the sync process hasn't fully completed).

6. Syncing Issues (Force a Sync):
Sometimes, syncing issues can happen, especially if there’s a delay between Microsoft Entra ID and DUO. You might want to:

Force a sync in Microsoft Entra ID by going to the Azure AD Connect console if you're using it.

Trigger a manual sync in DUO via the Sync Now option in the DUO Admin Console to ensure everything is fully up-to-date.

7. DUO Troubleshooting Mode
DUO provides a useful debugging tool that can help you identify issues during the login process:

Go to DUO Admin Console > Authentication > Log Events.

Look for any errors related to user enrollment, sync issues, or the specific AADSTS900144 error and see if there are any clues as to what might be going wrong.

8. Clear Cache and Re-enroll Users
If some users are experiencing issues, it might be worth:

Clearing the browser cache for the users and testing again.

Re-enrolling users by deleting and re-adding them to the DUO system, then verifying if the issue persists.

Final Check: Test with UPN Matching
To summarize, you should check the following:

Ensure that userPrincipalName (fLastname@domain.com) is correctly mapped in DUO’s configuration.

Double-check the enrollment policies in DUO to ensure users are being prompted to enroll automatically.

Verify whether DUO is using userPrincipalName or mail to match the usernames.

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee

‎07-16-2025 12:56 PM

Hi @zach-herberger ,

Have you tried this? Why might an incorrect username get sent to Duo from a machine joined to Entra ID? 

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents