Duo Administration - Admin Panel OverviewLast Updated: February 22nd, 2024
Manage your Duo deployment from the Duo Admin Panel. This includes configuring Duo Single Sign-On, creating and managing applications, enrolling and activating users, issuing and managing SMS passcodes and bypass codes, managing mobile devices, fine-tuning the user experience of your Duo installation, and more.
Video shows the Duo Admin Panel experience prior to August 2023.
Accessing the Duo Admin Panel
The browser used to access the Admin Panel must support TLS 1.2, which most modern browsers do by default. If you have issues accessing the site, please update your browser to a recent version of Chrome, Firefox, Edge, Safari, etc. or check your browser’s SSL implementation here: https://www.ssllabs.com.
Duo no longer supports use of Internet Explorer to access the Admin Panel. Microsoft ended Internet Explorer desktop application support on June 15, 2022. Please use one of Duo's supported browsers.
To access the Duo Admin Panel:
Enter your administrator account email address. If you're logging in from a private computer or device, you can check the Save my email address and login options box. Don't do this if you are on a shared kiosk or public computer.
The next step depends on whether your organization uses Cisco Security Cloud Control or has federated Duo administrator logins with an external single sign-on identity provider (IdP), and whether using SSO login is required or optional.
Password Login Only
Your organization has not configured SAML login for admins, so no SSO options are presented. Enter your administrator password, and click Log in.
SSO Login Required
Your organization prefers that administrators sign in using SSO. Click the Continue to identity provider button to be taken to your organization's identity provider (IdP) where you'll sign in with your primary user credentials.
SSO Login Optional
You can choose how to sign-in. Clicking the Log in using Single Sign On button takes you to your organization's IdP to complete primary authentication.
If you created a password for the Duo Admin Panel you may use that instead of SSO. Click Log in using password to show the password entry form. Enter your administrator password, and click Log in.
If you checked the Save my email address and login options box when you entered your Duo administrator username, then we'll also save your SSO login preference and won't ask you to choose between single sign-on or password authentication again.
Cisco Security Cloud Sign On
If your organization is provisioned through Cisco Security Cloud Control, you will see an option to Log in using Security Cloud Sign On (SCSO). This will take you to SCSO or your organization's IdP for primary and secondary authentication depending on how your enterprise admin has configured your setup.
After successful authentication via SSO or by entering the correct Duo admin password, you then must authenticate using a second factor. Complete login verification by selecting one of the available methods.
- Duo Push: Approve a login verification request sent to your smartphone with the Duo Mobile app. You must activate your administrator account for Duo Mobile separately from your user account to use Duo's push authentication at the Admin Panel. See Use Duo Push for Administrator Authentication for instructions.
- Passkey: Use a passkey including security keys and biometrics. For supported external security key devices, insert it and then touch it. For integrated devices like Touch ID, follow the prompts from your browser that appear to confirm your identity. This method only appears if you have added a passkey to your admin profile.
- Text Message: Receive an SMS message containing a one-time passcode and enter the passcode in the space provided. This passcode is valid for five minutes.
- Phone Call: Receive a phone call communicating a one-time passcode and enter the passcode in the space provided. This passcode is valid for five minutes.
- Duo Mobile passcode: Authenticate with a passcode generated in the Duo Mobile app.
- Hardware Token: Enter a passcode generated by a physical device issued by your organization.
- Yubikey passcode: Authenticate with a passcode generated by a Yubikey.
The two-factor authentication methods available may differ depending on your organization's Admin Authentication Methods settings. If, for example, your organization disabled the "Phone Callback" method, you won't see the "Phone call" 2FA option when you log in.
If you want to choose a different way to confirm your identity after your initial choice, click Back to login options to return to the list of all second-factor options and choose again.
If you checked the Save my email address and login options box earlier and also use a passkey or Duo Push as your authentication method, we will save that method as a preference as well and prompt you automatically to use the same verification method the next time you log in. You can always cancel the automatic verification in progress by returning to the list of login options to choose a different method.
If you've forgotten your password, click the Forgot Password link shown after you enter your email address. Enter the email address that you use to log in to your Duo administrator account and click Submit. Check your email for your password reset link.
We'll also send you a notification email once you've changed your password. If you receive a password change notification and you didn't initiate this change, contact your organization's Duo owner or Duo Support.
First-Time Administrator Account Setup
If you're a new Duo administrator for your organization, you likely received an account setup link from your org's Duo owners via email, text message, or another method of communication. Click that link to begin the setup process.
If your admin password will be stored in Duo, click Create Password to set your password. Passwords must have at least twelve characters, and may also require a mix of character types depending on your Admin Password Policy settings. New passwords will be checked against common passwords, usernames, and other account information to ensure uniqueness.
If your organization uses single sign-on with its own identity provider (IdP) for Duo Admin Panel logons, then click Create account using Single Sign On and sign in at your IdP with primary username and password.
If you don't have a smartphone, click Don't have a smartphone? Skip for now.
If a phone number was entered for you when your account was created, you can confirm that's the right backup phone number for Duo Admin Panel logins, or enter the correct backup phone number if it is not. You can skip this if you never plan to use phone call or SMS text messages to log into your Duo administrator account (if, for example, you received a hardware token from your organization to use as a backup login verification method).
If no phone number was entered when your account was created, then you can enter your phone number.
If you skipped Duo Push activation, you'll need to verify ownership of the phone number entered by entering a passcode received via text message or phone call before you can continue with setup.
When you've finished with setup, click the Continue to Duo Admin Panel Login button to log into the Duo Admin Panel with the password just set (or after SSO login), using Duo Push or phone call/SMS depending on what authentication methods you set up.
Entering the wrong password or passcode for your admin account or letting the push or phone call 2FA approval request time out increments the failed login count. After ten failed login attempts, your admin account will be locked out. Duo will send you an email containing a link you can click to immediately unlock your account. Otherwise, your admin account will automatically unlock after 24 hours.
If you don't have access to email and you can't wait 24 hours for your account to unlock itself, then you can ask another Duo admin at your organization for help. See Unlocking an Administrator for more info about manually unlocking an admin account.
Admin Panel Overview
The Admin Panel dashboard gives you a snapshot of your organization's activity.
When viewing the dashboard keep in mind that we round very large quantities for the dashboard display, but you can click any of the numbers to see an exact count.
The information shown first on the dashboard provides a quick overview of users with bypass or locked out status, inactive users who haven't logged in using Duo for the last 30 days, and your total end user count. Click on any of these items to view a filtered list of users.
Click the "Licenses Remaining" link to view the Deployment Progress report, which tracks how many end users there are in your Duo deployment, how many applications you've protected with Duo, the average number of 2FA devices per user, and the top authentication method used over the last seven days.
The endpoints summary information on the dashboard indicates how many of your endpoints have outdated operating systems and shows how that number has changed over the last week. Click the "Out of Date OS" or "Total Endpoints" link to view more detailed information on the Device Insight page.
Click anywhere on the interactive graph of your most recent authentication successes and failures to view the Authentication Log, filtered to display the related events.
The Authentication Log lists information about the last ten Duo login attempts, including the following:
- Date and time of the access attempt
- Whether the authentication was successful or not and why
- The Duo username
- Which application was accessed
- Access device information, such as the source IP address and location (if the login originated from a public IP address), the client OS, browser, and plugin information, and trusted status
- Second factor device information, such as the type of Duo factor used, the device's phone number, and source IP address and location (if the Duo Push response originated from a public IP address)
You can click the "Full authentication log" link to view all login events.
Click the Add New... button in the top right of the Dashboard to quickly create a new user, group, or application. You can also click the navigation link on the left for the type of object you want to create.
Click on your name in the upper-right corner to access your administrator account action menu. Click Edit Profile to change the name associated with your administrator login, reset your password for the Admin Panel, update your secondary authentication phone number or add a passkey, and activate Duo Mobile for Admin Panel login. You can also click Log Out on this menu to end your Duo administrator session. You'll be logged out of the Admin Panel automatically after 60 minutes of inactivity.
Manage or view different object types by clicking the links on the left side of the Admin Panel. You may be shown a subset of these links, depending on your assigned administrative role.
- Dashboard: Return to your account overview and summary.
- Device Insight: Review information about clients and devices authenticating to Duo. See Device Insight. Available in Duo Premier, Duo Advantage, and Duo Essentials plans.
- Policies: Define and assign access policies by user group and per application. See Policy & Control. Available in Duo Premier, Duo Advantage, and Duo Essentials plans.
- Applications: View, add, and modify applications. See Protecting Applications.
- Single Sign-On: Manage Duo Single Sign-On configuration. Available in Duo Premier, Duo Advantage, and Duo Essentials plans.
- Users: View, create, and modify users. See Managing Users.
- Groups: Create and view groups. See Using Groups.
- Endpoints: Duo Premier and Duo Advantage customers can review operating system, browser, and plugin security status information about end-user devices accessing Duo. See Endpoints.
- 2FA Devices: View, create, and assign phones, hardware tokens, and other authentication devices. See Managing Devices.
- Administrators: Create and manage administrator access to Duo. See Managing Duo Administrators and Administrative Roles.
- Trusted Endpoints: Set up management integrations to support managed/unmanaged device detection. See Trusted Endpoints. Available in Duo Premier, Duo Advantage, and Duo Essentials plans.
- Trust Monitor: Manage Trust Monitor configuration and review and process events. See Trust Monitor. Available in Duo Premier and Duo Advantage plans.
- Reports: View authentication events, administrator actions, and other valuable reports. Learn more about Logs and Reports. All administrator roles except Billing can view reports.
- Settings: Change global settings for your Duo service. See Changing Settings.
- Billing: Manage payment methods, change your Duo subscription, view and download your monthly billing history, and purchase telephony credits or Duo hardware tokens. Note that customers who purchased Duo licenses or telephony credits through Cisco Commerce Workspace (CCW) must log in to CCW to manage billing, download invoices, or purchase additional telephony credits.
You'll find Duo's support information under Help on the top right of the Dashboard. Paying customers may click the Support Ticket Portal link to create and manage support cases in the customer portal.
The Versioning information helps you determine what Duo release updates apply to your account. You may need to provide this information if you contact Duo Support. Check our Release Notes to learn more about new features, fixes, and updates to Duo's service and applications.
You'll need your Account ID information if you contact Duo support via phone or email instead of using the Support Ticket Portal link.
In addition, you'll find your Deployment ID under Help, under your Duo Account. Clicking the Deployment ID takes you to the Duo Service Status page, where you can see the current operational status of Duo's cloud services.
The remaining navigation items link to different sites with helpful information about Duo. The Documentation, User Guide, and Knowledge Base sites contain technical instructions and helpful articles for Duo administrators and end users.
Level Up: Training and Certification is an online learning platform offering Duo administration courses and online certifications free to all Duo customers. Use this link from the Admin Panel to perform single sign-on into Level Up with your Duo administrator account. Learn more about the Level Up program.
Use the search field at the top of the Admin Panel to quickly find a particular user (by username or alias), phone or token device, group, or application.
Clicking most of the navigation items on the left of the Admin Panel window takes you to a table view of those objects (i.e. clicking Users shows you a table of Duo users).
Information tables in Duo are either paginated, where you can change the page size from 10 to 100 items and click forward and back between pages, or the table shows a Load More button at the bottom of the current data view that you can click to show more information. Most tables have a search field in the upper right that you can use to filter records in place.
If the table has an Export button, you can click that to select from the available export options, which may include CSV, JSON, or PDF format, or URL which gives you a direct link to your current view. If you've filtered the information in the table using search, the downloaded information only includes those search results.
Early Access Features
As part of our ongoing efforts to bring customers new capabilities we will make features, settings, and applications available ahead of general availability. This is a chance for you to opt into new and important features sooner and validate them in your environment.
Features covered here might be noted by an "Early Access" badge or referred to as "Early Access" features in upcoming communication.
This early access or public preview phase of development is fully supported by Duo’s technical support. Early access features are always opt-in and will not change without standard product change communication.
For more information on Duo’s development process and release phases see the article What do Duo’s product release terms like "Public Preview" or "Early Access" mean? in the Duo Knowledge Base.
Please contact your Duo representative with any questions or concerns.
All administrator roles except Billing can view reports. Clicking the Reports link on the left side of the Admin Panel takes you to the Authentication Log.
The default view shows authentication events for the previous 24 hours. You'll see a visual representation of authentication successes and failures, and a list of authentication attempts that shows the following information:
- When the login was attempted
- Whether the login attempt was successful or not (if access is denied, a reason is provided)
- The username
- Which application was used
- Risk assessment information
- The access device's operating system
- Browser and browser plugin information if using a web based application with the inline Duo Prompt
- The location from which the login attempt originated (if a publicly resolved IP address)
- The client IP address (if the client sends IP information)
- What type of Duo authenticator was used (Duo Push, SMS, phone call, etc)
- Information about the device that was used for Duo authentication (phone number, location, IP address, etc.)
Duo Premier, Advantage, and Essentials plan customers see events for users when they access an application without two-factor authentication as a result of setting the New User Policy setting to "Allow access without 2FA" and when denied access to an application because the New User Policy is set to "Deny access".
To narrow down the authentication logs shown, click on "Last 24 Hours - No filters applied" (the default) at the top of the page to expand the filtering options. You can expand the time range up to a maximum of 180 days, filter the authentication log information by typing in all or part of a user, application, or group name, or select from other criteria like second factor or passwordless devices used to authenticate, authentication log success or failure reasons, and more.
Click the Export button in the upper right side of the log display and select from the available export options, which may include CSV or JSON which will download a copy of the log. You may also select Print which will go directly to your browser's print dialog or URL to obtain a direct link to your current authentication log view.
The telephony log shows all the phone calls and SMS messages sent by Duo. These could be initiated by administrator login to the Admin Panel, user login to Duo protected services, or device enrollment and activations links sent to users and administrators (as shown in the "Context" column).
The number in the "Credits" column shows how many credits were deducted from your telephony credits balance for each phone call or message.
To narrow down the telephony logs shown, click on "Last 30 days" (the default) at the top of the page to expand the time filtering options. You can select a different time range from a minimum of 24 hours to a maximum of 180 days or input a custom time range.
Click the Export button in the upper right side of the log display and select from the available export options, which may include CSV or JSON which will download a copy of the log. You may also select Print which will go directly to your browser's print dialog or URL to obtain a direct link to your current telephony log view.
Administrator Actions Log
The administrator actions log shows activity by your organization's Duo administrators. Examples of logged administrator actions include:
- Administrator login to the Admin Panel
- Tasks like adding, modifying, or deleting phones, users, tokens, applications, and other administrators
- Directory sync start and end and any updates made by the sync
Click on any of the column headings to sort log entries by that column.
Click on the link in the "Action" column to see more details.
The authentication log event display may be filtered by administrator.
Click the Export button in the upper right side of the log display and select from the available export options, which may include CSV or JSON which will download a copy of the log. You may also select Print which will go directly to your browser's print dialog or URL to obtain a direct link to your current administrator actions log view.
Single Sign-On Log
The Single Sign-On log shows Duo Single Sign-On successful and failed authentication activity. Success indicates completion of primary and secondary authentication.
Duo authentication, telephony, SSO, and administrator action log entries are retained indefinitely by default. Change the log retention period to your desired maximum number of days in the "Logging" setting.
Duo's next-generation authentication experience, the Universal Prompt, provides a simplified and accessible Duo login experience for web-based applications, offering a redesigned visual interface with security and usability enhancements.
The Universal Prompt Update Progress report acts as a centralized location for determining which of your applications will be capable of supporting the new prompt, which applications require reconfiguration for continued use, monitoring updates to the availability of required software updates needed to support the Universal Prompt, viewing which applications have the necessary update in place, and activating Universal Prompt for updated applications.
Read the Universal Prompt Update Guide for more information about the update process to support the new prompt.
All Duo customers have access to Level Up, our online learning platform offering courses on a variety of Duo administration topics. To access Level Up content, sign in with the same email address you use to sign in to the Duo Admin Panel.