Skip navigation
Documentation

Managing Users

Contents

Create, manage, and delete users from the the Duo Admin Panel.

To access the Admin Panel, navigate to https://admin.duosecurity.com, enter your administrator account email address and password, and click Submit. After your login is accepted, you then must authenticate using a second factor. You must activate your administrator account for Duo Mobile separately from your user account to use Duo's push authentication See Managing Administrators for instructions.

Managing Duo Users

Listing Users

  1. Log in to the Duo Admin Panel and click Users in the left sidebar. At the top of the page you see a summary of the total number of Duo users in your organization, as well as counts of users without any authentication devices (including those with Pending Enrollment status), inactive users who haven't authenticated with Duo for the past 30 days, and users with bypass or locked out status. Click each type of user count to filter by that category.

    The Users table shows user names, email addresses, the number of assigned phones and tokens, the user's status, and the date and time of the last login.

    List of Users

    Click the Reports button in the upper right side of the log display and select CSV or JSON to download a a list of users. You can also select URL to obtain a direct link to your current users view. If you've filtered your current view (like by entering search text in box), the report only includes the filtered results.

  2. Clicking on a user's name displays details about that user, including all associated authentication factors.

    User detail

Enrolling Users

Admins have several options when it comes to enrolling new users in Duo, such as self-enrollment, AD sync, and Azure sync. The Enrolling Users documentation covers all of our enrollment methods in detail.

Important

Duo administrator accounts are only used to log on to the Admin Panel. They can't be used to access devices or applications using Duo two-factor authentication. Be sure to also enroll your Duo admins as users if they need to log on to Duo protected services.

Pending Enrollments

Role required: Owner, Administrator, or User Manager.

The Pending Enrollments table shows users who were created by bulk enrollment or directory import, automatically emailed an enrollment link, but have not yet completed enrolling their 2FA devices in Duo. For each user that has not completed enrollment, the user's email address and the expiration date for the enrollment link previously sent is shown. If you need to send the user another copy of the enrollment link email, click the Resend button. Resending the email does not change the current enrollment link's expiration date.

Pending Enrollments

Creating Users Manually

Role required: Owner, Administrator, or User Manager.

To add larger numbers of new users to Duo we recommend using one of our enrollment methods or the user import utility over creating users manually.

  1. Log into the Duo Admin Panel. From the Dashboard page you can click the Add New... button in the top right and then click User. Otherwise, click Users in the left sidebar, then click the + Add User button or the Add User submenu item in the left sidebar.

    New User Button

  2. Enter a username and click the Add user button. The username should match the primary login used to access the Duo protected service.

    Add a New User

  3. The new user is created.

    User Added

You can now perform additional user management tasks, such as populate the name and e-mail address fields, change the new user's status, attach a phone to the user, add the user to a group, and more.

Deleting Users

Role required: Owner, Administrator, User Manager, or Help Desk.

Users who are managed by Active Directory or Azure synchronization may not be manually deleted.

  1. Log into the Duo Admin Panel. Click Users in the left sidebar.

  2. Select a user from the list by clicking his or her username. On the properties page for that user, click the Delete User button.

    Delete a User

  3. Click the Delete button on the pop-up confirmation dialog.

    Delete Confirmation

  4. The user is deleted from Duo

    User Deleted

Changing User Status

Role required: Owner, Administrator, User Manager, or Help Desk.

A Duo user's status can be one of the following:

  • Active - The user is required to use Duo two-factor authentication at log on. This is the default status for new users.
  • Bypass - The user is not required to use Duo two-factor authentication at log on and is not subject to any policy setting restricting access. The bypass event is recorded in the Duo authentication log.
  • Disabled - The user is not permitted to use Duo two-factor authentication, and log on is denied.
  • Locked Out - The number of failed Duo authentication exceed the lockout threshold defined in the Lockout and Fraud settings. This status is only visible while an account is locked out, and cannot be manually set by an admin.

Owners and administrators are able to change the status for an individual user to any of the available options. Help Desk role admins can only change a "Locked Out" user's status to "Active", and cannot assign "Bypass" or "Disabled" status.

  1. Log in to the Duo Admin Panel and click Users in the left sidebar.

  2. Select a user by clicking his or her username. You will see the user's current status in the "Status" section of the user properties page:

    Locked out user

  3. Select the desired status, then scroll down and click the Save Changes button.

Assigning User Status with Groups

Duo groups can be used to automatically assign a status to group members. When the status of a user is managed by a Duo group, the user's properties page indicates which group determines the user's status and the effective setting.

Group Status Override

For more information using Duo groups to control user status, see Group Settings.

When users are imported into Duo by Azure or Active Directory synchronization the "Disabled" status in Duo is determined by the user's status in the connected directory and cannot be modified from the user's properties page in the Duo Admin Panel. See our guides to Active Directory synchronization or Azure AD synchronization for details.

Activating Duo Mobile

Role required: Owner, Administrator, User Manager, or Help Desk.

Users will occasionally need to have Duo Mobile activated or re-activated on their device. For example, a new user may have a problem during enrollment, or an existing user may lose or replace a phone or tablet. Here's how to activate or re-activate Duo Mobile for a user:

  1. Log in to the Duo Admin Panel and click Users in the left sidebar.

  2. Select a user by clicking his or her username, then scroll down to the "Phones" section of the entry and click on the alias or number of the device you need to activate.

    Phone Table

  3. Make sure that the device's "Type" is Mobile and that the "Platform" is correct. Click the Save Changes button when you're done.

    Phone Type

  4. Once the page refreshes, click the Activate Duo Mobile (or Reactivate Duo Mobile) link in the "Duo Mobile" section near the top of the page.

    Activate Duo Mobile

  5. On the next page you can adjust the lifetime for the mobile activation code (by default these expire 24 hours after generation). Click the Generate Duo Mobile Activation Code button once you're ready to issue a new activation code for this device.

    Generate Activation Code

    Important

    This will immediately invalidate any existing Duo Mobile credentials for that device. The Duo Mobile app on that device will need to be activated with the new activation code to restore access.

  6. You can now send the user instructions to install and activate Duo Mobile. Check or uncheck the appropriate boxes and click Send Instructions by SMS.

    Send Instructions

    These instructions and links can also be copied from the Admin Panel and pasted into an email for users without SMS-capable devices (like tablets).

You can also send activation emails or text messages in batches. See Activating Users After Enrollment for more information.

Sending SMS Passcodes

Role required: Owner, Administrator, User Manager, or Help Desk.

Duo users who aren't able to receive pushes or phone calls due to spotty mobile coverage, or traditional mobile phone users who aren't able to install the Duo Mobile smartphone app may rely on batches of passcodes sent over SMS. Administrators can send new batches of SMS passcodes to their users whenever they choose. All old codes are invalidated when a new batch is sent. To send passcodes:

  1. Log in to the Duo Admin Panel and click Users in the left sidebar.

  2. Select a user by clicking his or her username, then scroll down to the "Phones" table on the user's properties page and click on the device you need to activate.

    Phones table

  3. Make sure that the device's "Type" is Mobile. Click the Save Changes button after making any changes.

    Change Device Type to Mobile

  4. Click the Send SMS Passcodes button near the top of the page.

    Send Passcodes

  5. On the next page click the Send SMS Passcodes button.

    Send the SMS Passcodes

The SMS passcode batch size and other settings can be configured in the SMS passcodes section of the Duo Settings page. To get to this page click Settings in the left sidebar.

Generating a Bypass Code

Role required: Owner, Administrator, User Manager, or Help Desk.

A bypass code is a temporary passcode created by an administrator for a specific user. These are generally used as "backup codes," so that users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) can still access their Duo-protected systems. Bypass codes can also be used to allow a temporary user access to applications that don't support self-enrollment without having enrolled a device. Bypass codes expire after being used the allowed number of times, or after an administrator-defined amount of time.

You can limit your Help Desk administrators' ability to create or customize bypass codes on the Settings page.

To generate a bypass code:

  1. Log in to the Duo Admin Panel and click Users in the left sidebar.

  2. Select a user by clicking his or her username. Scroll down to the bottom of the user properties page and click the +Add Bypass Code button. Help Desk admins won't see this button if the "Do not allow Help Desk admins to create bypass codes" option is selected on the Settings page.

    Add Bypass Code for User

  3. By default, bypass codes expire after a single use or in one hour, whichever happens first.

    Generate Bypass Code

    To change the expiration and reuse settings, or to define the bypass code (instead of letting the system generate a random string of nine digits) click the Change options link. Help Desk admins won't see this link if the "Do not allow Help Desk admins to customize bypass codes" option is selected on the Settings page.

    Bypass Code Options

    Once you've finished adjusting these options, click Generate Bypass Code to generate the bypass code.

  4. The code is generated and shown in the green bar at the top of the user properties page. It can be used immediately.

    Bypass Code Created

Viewing and Deleting Bypass Codes

To view a list of all current bypass codes by clicking Users in the left sidebar, then Bypass Codes.

Bypass Codes List

You'll see at a glance the total number of valid bypass codes and counts of "weak" bypass codes (meaning bypass codes that have no expiration). The table lists which users have been assigned bypass codes, which Duo admin created that bypass code (or "API" if the bypass code was created programmatically via the Admin API) and when the codes will expire or run out of uses. Click each type of user count to filter by that category.

To view a bypass code, click the (show) link next to the code.

To delete a user's bypass code, click the Delete button on the far right of the table. Confirm deletion of the bypass code when prompted.

Delete Bypass Codes

View detailed information about bypass code creation and deletion events, such as whether te bypass code was manually or automatically generated, the expiration of the bypass code (in minutes), and the total number of uses for the bypass code in the Administrator Actions log.

Using Groups

Assigning Duo users to groups simplifies user management. It's especially handy for quickly defining application access or assigning user status. See the Using Groups documentation for more information and detailed instructions.

Duo's Duo Beyond and Duo Access plans let you create granular security policies and apply them to selected groups and applications. See the Policy & Control documentation for more information.

Managing Administrators

Role required: Owner.

Click Administrators on the left side of the Duo Admin Panel. Here you are able to add, remove, and modify administrators (which are the users that have access to the Duo Admin Panel).

Listing Administrators

  1. Log in to the Duo Admin Panel and click Administrators in the left sidebar. The list shows administrator names, roles, email addresses, and phone numbers.

    List of Administrators

    Click the Reports button in the upper right side of the log display and select CSV or JSON to download a a list of administrators. You can also select URL to obtain a direct link to your current administrators view. If you've filtered your current view (like by entering search text in box), the report only includes the filtered results.

  2. Clicking on an administrator's name displays details about that user, including the assigned role.

    Admin User Details

You can jump directly to your own administrator account details by clicking Edit Profile in the upper right hand corner of the Duo Admin Panel.

Update Current Admin Settings

Add an Administrator

  1. Log in to the Duo Admin Panel and click Administrators in the left sidebar.

  2. Click either the Add Administrator menu item, or the + Add Administrator button at the far right.

    Add an Administrator

  3. Enter the new Duo administrator's email, name, password, and phone number, optionally assign a hardware token for secondary authentication, and then select the desired permissions role for the new administrator. Click the Add Administrator button to finish.

    Add new administrator

The email address entered here must be unique and not already registered as an administrator on any other Duo Security accounts. A phone number is required. This is the number that Duo uses for SMS or phone call two-factor authentication to the Admin Panel.

The new administrator may change his or her account password after the first successful authentication.

Changing an Administrator's Permissions

To reassign an administrator's role:

  1. Log in to the Duo Admin Panel and click Administrators in the left sidebar.

  2. Click on the administrator's name.

  3. Select the new role for that administrator from the Permissions list and click the Save Changes button.

Deleting an Administrator

To remove an administrator:

  1. Log in to the Duo Admin Panel and click Administrators in the left sidebar.

  2. Click on the administrator's name.

  3. Click the Delete Administrator button to remove that user. You'll be prompted to verify your action. You cannot delete the currently logged in administrator.

Changing an Administrator's Password

To change administrator's password:

  1. Log in to the Duo Admin Panel and click Administrators in the left sidebar.

  2. Click on the administrator's name to view details.

  3. In the "Primary Authentication" section of the administrator's details page enter the new password twice, then confirm that password by entering it a second time.

  4. Click the Save Changes button. The new password will be applied immediately.

Updating an Administrator's Secondary Authentication Methods

All administrators must use two-factor authentication to access the Duo Admin Panel. When logging in to the Duo Admin Panel, you'll see a prompt like this:

Admin User Login Prompt

After submitting a valid username and password, you can select a delivery method for a one-time passcode (in most cases, this will be either SMS message or phone callback for the your initial login), or enter an OTP passcode generated by a hardware token if one is attached to your administrator account.

If you clicked "Text Me" or "Call Me", enter the passcode you receive via text message or in a voice call and click Submit.

SMS sent detail

A phone number is required when creating a Duo administrator. This is the number that Duo uses for two-factor authentication to the Admin Panel. That phone number (and extension, if necessary) is shown in the "Secondary Authentication → Phone number" field of an administrator's details page. The number can be updated at any time:

  1. Log in to the Duo Admin Panel and click Administrators in the left sidebar.

  2. Click on the administrator's name to view details.

  3. Scroll down to the "Secondary Authentication" section of the details page. Enter the new phone number, then click the Save Changes button.

Assign a Token for Administrator Authentication

Assigning a hardware token to an administrator permits token passcode authentication when logging in to the Duo Admin Panel. Administrators can use hardware tokens purchased from Duo and third-party one-time password (OTP) hardware tokens, such as YubiKey OTP or any other OATH HOTP-compatible tokens. You can continue to use other authentication methods for the Duo Admin Panel like Duo Push and passcodes received via SMS or phone call.

Only account owners may modify other administrator accounts to add hardware token authenticators.

To attach a token to an existing administrator:

  1. Log in to the Duo Admin Panel and click Administrators in the left sidebar.

  2. Click on the administrator's name to view details.

  3. Click the drop-down menu to see a list of available hardware tokens. You can also search for a token by typing in the serial number.

    Add administrator token information

    Click a token to select it, and then click Save Changes at the bottom of the page.

  4. The administrator's properties page shows the newly added token. Click the Remove link to the right to remove the hardware token from the administrator's account.

    View or remove administrator hardware token

    You must remove a hardware token from any attached administrator accounts before deleting the token from Duo.

Use Duo Push for Administrator Authentication

Duo administrators can also use Duo Mobile for secondary authentication via Duo Push. This "one-tap authentication" is both secure and convenient. See Duo Push in action, then download the Duo Mobile app to get started.

To activate Duo Push for your administrative account:

  1. Install Duo Mobile on your mobile device.

  2. Log in to the Duo Admin Panel and click Edit Profile, shown in the upper right hand corner of the page.

    Update current admin settings link

  3. Scroll down to the Secondary Authentication section and click the Activate link next to Duo Push.

    Activate Duo Push link

  4. Open Duo Mobile on your device. Tap the plus sign (+) to add a new account, and scan the barcode displayed on your computer screen. If your mobile device doesn't have a camera, click the link below the barcode to email an activation link to your mobile device.

    Duo Push activation barcode

  5. Your administrator account is now activated. Log out of the Duo Admin Panel, then submit your username and password and click Duo Push to give it a try.

    Admin login screen with Duo Push enabled

    After clicking Duo Push, the button indicates that a login request was sent to your device.

    Pushing to your device

    Now approve the Duo Push request when it arrives on your device, and you'll be fully authenticated and logged in.

    Admin request using Duo Push

Unlocking an Administrator

A Duo administrator's account is locked out after ten unsuccessful primary or secondary login attempts. Another administrator on the same account with equal or greater privileges can reset the authentication attempt failure count. Otherwise, the administrator lockout expires 24 hours after the last failure.

To reset the authentication attempt failure count:

  1. Log in to the Duo Admin Panel and click Administrators in the left sidebar.

  2. Click on the locked-out administrator's name to view details.

  3. Scroll down to the "Lockout" section and click the Reset link. The change is applied immediately

    Reset Administrative User Lockout

Recovering Access to an Administrator Account

If you're unable to log into your Duo Admin Panel account, work with another of your organization's Duo administrators to regain access. Resetting another administrator's password or updating an admin's secondary authentication devices requires the Owner role. We recommend creating at least two administrative users with the Owner role per account for redundant access to the Admin Panel.

If no other administrators with the Owner role exist in your account, please contact Duo Support to begin the recovery process.

Troubleshooting

Need some help? Try searching our Knowledge Base articles or Community discussions. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free