Exclude Group on one Endpoint?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2020 05:15 AM
I have Duo Authentication for Windows Logon and RDP installed on servers for a client. In our scenario we want to exclude a group of users on Server1, but still apply MFA to all users on Server2.
Is this possible?
EDIT: I wasn’t clear originally. We want to a certain group to bypass MFA on Server 1.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2020 05:29 AM
Yep, you can accomplish this using the Permitted groups setting on an application’s properties page.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2020 09:47 AM
Will using this block all users outside the permitted group or set users outside of the group to bypass?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2020 09:56 AM
Per the docs linked above, “Saving this change [configuring permitted groups] blocks active Duo users who aren’t members of the selected groups from accessing that application.”

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2020 10:20 AM
Hello - I apologize, I was not clear. We want to a certain group to bypass MFA on Server 1.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2020 11:32 AM
Ah sorry, I misunderstood your first post.
You can use an Authentication Policy to achieve what you’re after.
If server1 and server2 are separate Duo applications in your admin panel, then you’ll want to apply a Bypass 2FA Authentication Policy to the targeted group on the Server1’s application properties page in the Duo Admin Panel.
Assuming you don’t have any other policies in place at the global, application, or group level, all users would still be prompted for 2FA when accessing Server2.
