09-12-2024 09:53 AM
Good Afternoon,
I am in the process of rolling out MFA for all in our organization. We've been using it admin only for over a year. I have Directory sync all set up but I'm running into some issues with the process.
If I sync users and set them to "Active" when imported, the user cannot log in because they haven't enrolled.
If I sync users and set the user to "Bypass", they can log into their workstation but can't access the enrollment e-mail because they're set to "Bypass".
What is the trick here? Set them as "Active" when already logged in so they can get to the enrollment e-mail? This is what I did for the first user I added. Is there no way for the unenrolled user to be prompted for enrollment when logging in?
Solved! Go to Solution.
09-12-2024 11:32 AM - edited 09-12-2024 11:45 AM
No idea which application you are protecting with Duo, but since you say they can't enroll I am going to guess Duo for Windows Logon or another similar application which doesn't show Duo enrollment in a browser window.
Apply a policy to the Duo application at the application level with the New User Policy set to to "Allow access without 2FA" and the Authentication Policy set to "Bypass 2FA". That way the users wouldn't need to complete any Duo MFA at login, even though they're Active, but they WOULD be able to access online enrollment following the link in the email they receive.
Once everyone is enrolled, remove the application-level policy and they they will have to 2FA at the app.
09-13-2024 11:25 AM
You can combine an application policy set on your RDP app that bypasses 2FA (to let non-admins that still need to enroll log in) with a group policy that requires 2FA set on your RDP app targeting a group of your existing admins who are already enrolled in Duo, so that your privileged users still get login protection.
If you are using AD sync and those admins are synced from AD you'll need to sync over an AD group containing those admins into Duo to use as the group policy target, since you can't manually add synced users to a group from the Duo side.
09-13-2024 11:41 AM - edited 09-13-2024 11:41 AM
Yes, on the application in Duo, an application policy that bypasses MFA that would be effective for your users who need to enroll, and an application group policy that requires MFA that would be effective for members of a specified group, i.e.
09-12-2024 11:32 AM - edited 09-12-2024 11:45 AM
No idea which application you are protecting with Duo, but since you say they can't enroll I am going to guess Duo for Windows Logon or another similar application which doesn't show Duo enrollment in a browser window.
Apply a policy to the Duo application at the application level with the New User Policy set to to "Allow access without 2FA" and the Authentication Policy set to "Bypass 2FA". That way the users wouldn't need to complete any Duo MFA at login, even though they're Active, but they WOULD be able to access online enrollment following the link in the email they receive.
Once everyone is enrolled, remove the application-level policy and they they will have to 2FA at the app.
09-12-2024 11:50 AM - edited 09-13-2024 08:43 AM
Kristina,
Thank you for the reply. You're correct, it is Windows Logon. Everything you say sounds good. We can certainly disable authentication for a short time while enrolling users.
Scott
09-13-2024 11:25 AM
You can combine an application policy set on your RDP app that bypasses 2FA (to let non-admins that still need to enroll log in) with a group policy that requires 2FA set on your RDP app targeting a group of your existing admins who are already enrolled in Duo, so that your privileged users still get login protection.
If you are using AD sync and those admins are synced from AD you'll need to sync over an AD group containing those admins into Duo to use as the group policy target, since you can't manually add synced users to a group from the Duo side.
09-13-2024 11:33 AM
May I ask which GPO I would use to enforce 2FA on admins? I can see the idea of putting admins in a separate OU so they sync with Duo in their own group but I'm unaware of a GPO to force 2FA. Do you mean an additional Duo policy?
09-13-2024 11:41 AM - edited 09-13-2024 11:41 AM
Yes, on the application in Duo, an application policy that bypasses MFA that would be effective for your users who need to enroll, and an application group policy that requires MFA that would be effective for members of a specified group, i.e.
09-13-2024 12:06 PM
Kristina,
You're awesome, thank you! I have created two Duo (and AD) Groups now: Duo Users and Duo Pilot Users. I realized that regular Duo users already enrolled and Admins already enrolled should be able to use 2FA while I'm enrolling new people. I have the more permissive policy set to "Duo Pilot Users" and the enforcement still on for "Duo Users".
I tested with an unenrolled user with the global policy still set to enforce 2FA. No need to edit global policy now, just move them into the correct AD group once enrolled.
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide