Skip navigation
A Duo user confirms a Duo Push on their device while using their laptop.
Product & Engineering

Announcing Administrative Units and Administrative Single Sign-On (SSO) for the Enterprise


  • Enterprise customers desire greater administrative controls
  • Admin Units delegates management of Duo across different departments
  • Admin Single Sign-On (SSO) helps mitigate risk by reducing use of local credentials
  • Both features available for Duo MFA, Duo Access and Duo Beyond

We've seen tremendous adoption of Duo Beyond, our zero-trust security platform, by customers of all sizes - especially in enterprise and education. Both environments bring two shared attributes: large user populations and a desire to delegate management of tools. As such, these customers came to us with a desire for more granular administrator controls: specifically for delegated administration and federated login.

Delegating Administration

In large organizations, responsibilities for IT are delegated broadly to distinct teams. For example, the networking team will take ownership over virtual private networks (VPNs) and firewalls, the endpoints team will manage endpoint asset management software and Windows/Mac clients, and the infrastructure team will manage Windows and Unix servers.

Similarly, support teams may be distributed across multiple locations or business units, often supporting specific groups of users. For example, the San Francisco office help desk may be responsible for users in the primary engineering office in San Francisco and the Bay Area; however, the New York office help desk is responsible for sales and marketing employees up and down the East Coast.

The reason customers separate administration across different groups is to reduce risk, especially with critical applications and information about full-time employees.

Back in 2015, we added Administrative Roles, which controls the “powers” of an administrator, such as managing users or editing policies. However, our customers came to us with a desire for greater granularity. Dividing up administrative responsibilities by applications or user groups.

So we worked together with a team of customers on a solution to introduce the idea of “scope” to our administrators. Six months ago, our team began working on a feature titled Administrative Units to fill this gap.

Introducing Administrative Units

Administrative Units allows customers to assign specific user groups or applications to individual or multiple administrators.

If Administrative Roles are the X-axis of "what can an administrator do" (e.g. add/delete users, create applications), then Administrative Units are the Y-axis of "which applications or user groups can an administrator see."

Administrative Units

We want to thank the group of twelve customers that worked together with us to provide input and feedback as we developed this feature. In fact, we have to thank customers directly for the name of this feature. The term “administrative units” came about as most of our customers thought about federating administrative controls by “business units,” a common turn of phrase in enterprise.

Administrative Units is generally available today and documentation can be found here.

Federating Logins

We also have an increasing number of customers utilizing SSO, whether it’s through federation services like Azure AD or ADFS or our own solution, Duo’s secure SSO. Customers deploy single sign-on for not only convenience, but also security. It’s convenient for users as they don’t have to memorize passwords for every single service.

Why security? Single sign-on allows customers to federate access to applications without managing separate passwords for each application, which often leads to shared passwords for each service.

Our administrators came to us asking, “How come I can federate logins with users but not administrators?”

And that leads us to Administrative SSO.

Introducing Administrative SSO

SSO Button We’re pleased to announce the general availability of single sign-on (SSO) for the Administrators. Customers can now utilize SAML Identity Providers (IdP) including Azure AD, ADFS, Duo SSO, and Shibboleth to federate access to the Duo Admin Panel.

In order to support this feature, we are also making an update to - a persistent single sign-on button similar to what you’ve seen on other cloud applications.

Administrative SSO is also generally available today, and documentation can be found here.

We would also like to thank our beta customers for Admin SSO. This turned into our largest beta in Duo history, and we couldn’t have delivered this solution without your support. And just a few weeks into release, we already have 400 customers utilizing this feature, so it’s great to see the demand for this feature.