Skip navigation
Documentation

Managing Duo Users

Contents

Introduction

Create, manage, and delete your Duo users from the the Duo Admin Panel. These user accounts are the ones your end users utilize to log in to Duo-protected services and applications with two-factor authentication.

Duo administrator accounts are managed separately from Duo users. Please see Managing Duo Administrators for more information.

To access the Duo Admin Panel, navigate to https://admin.duosecurity.com, enter your administrator account email address and password, and click Submit. After your login is accepted, you then must authenticate using a second factor. You must activate your administrator account for Duo Mobile separately from your user account to use Duo's push authentication. See Managing Administrators for instructions.

The browser used to access the Admin Panel must support TLS 1.2, which most modern browsers do by default. If you are concerned about compatibility, please update your browser or check your browser’s SSL implementation here: https://www.ssllabs.com.

Certain user management operations have Duo administrative role requirements. These are noted where applicable.

Listing Users

  1. Log in to the Duo Admin Panel and click Users in the left sidebar. At the top of the page you see a summary of the total number of Duo users in your organization, as well as counts of "Not Enrolled" users without any authentication devices (including those with Pending Enrollment status), inactive users who haven't authenticated with Duo for the past 30 days, and users with bypass or locked out status. Click each type of user count to filter by that category.

    The Users table shows usernames, email addresses, the number of assigned phones and tokens, the user's status, and the date and time of the last login.

    List of Users

    Click the Reports button in the upper right side of the log display and select CSV or JSON to download a a list of users. You can also select URL to obtain a direct link to your current users view. If you've filtered your current view (like by entering search text in box), the report only includes the filtered results.

  2. Clicking on a user's name displays details about that user, including all associated authentication factors and endpoints (scroll down to view all information).

    User detail

Enrolling Users

Admins have several options when it comes to enrolling new users in Duo, such as self-enrollment, Active Directory sync, OpenLDAP sync, and Azure sync. The Enrolling Users documentation covers all of our enrollment methods in detail.

Important

Duo administrator accounts are only used to log on to the Admin Panel. They can't be used to access devices or applications using Duo two-factor authentication. Be sure to also enroll your Duo administrators as Duo users if they need to log on to Duo protected services.

Pending Enrollments

Role required: Owner, Administrator, or User Manager.

The Pending Enrollments table shows users who were created by bulk enrollment or directory import and automatically emailed an enrollment link, but have not yet completed enrolling their 2FA devices in Duo. For each user that has not completed enrollment, the user's email address and the expiration date for the enrollment link previously sent is shown. If you need to send the user another copy of the enrollment link email, click the Resend button. Resending the email does not change the current enrollment link's expiration date.

Pending Enrollments

Creating Users Manually

Role required: Owner, Administrator, or User Manager.

To add larger numbers of new users to Duo we recommend using one of our enrollment methods or the user import utility over creating users manually.

  1. Log into the Duo Admin Panel. From the Dashboard page you can click the Add New... button in the top right and then click User. Otherwise, click Users in the left sidebar, then click the Add User button or the Add User submenu item in the left sidebar.

  2. Enter a username and click the Add user button. The username should match the primary login used to access the Duo protected service.

    Add a New User

  3. The new user is created.

    User Added

You can now perform additional user management tasks, such as populate the name and e-mail address fields, change the new user's status, attach a phone to the user, add the user to a group, and more.

User fields in Duo:

Username

The user's primary Duo username. Typically this matches the primary authentication login name your users submit to Duo.

Username Alias 1

An additional username associated with this Duo user. Specify an alias when users log into different Duo-protected services with different username formats.

Suppose your users log into a VPN client with an Active Directory sAMAccountName (narroway), but log into Salesforce via SAML with an email address (narroway@example.com). By specifying jdoe as the Username and narroway@example.com as the Username Alias 1 this user may log into either system and authenticate with Duo using the same available device options and without consuming additional Duo licenses.

All Duo usernames and username aliases must be unique per user.

Username Alias 2, 3, 4

Additional username aliases.

Real Name

The full name of the user.

First Name

The given name of the user. This field is only visible with the ID Proofing feature.

Last Name

The surname of the user. This field is only visible with the ID Proofing feature.

Email

The user's email address. Activation emails and Phishing campaigns use this destination address.

Status

The user's Duo status. One of "Active", "Bypass", or "Disabled". See Changing User Status for more information.

Groups

A list of Duo groups containing the user.

Notes

Free text field for additional user information.

Deleting and Restoring Users

Role required: Owner, Administrator, User Manager, or Help Desk.

Deleting a Duo user is a two step process. User accounts deleted manually from the Admin Panel, purged for inactivity, or deleted by directory sync first get sent to the Trash. User accounts get permanently deleted after seven days in the Trash.

Access the Trash user view by clicking the Trash link underneath the total user count shown at the top of the Users page.

Trash View Link on the Users Page

A deleted account may be restored at any time from the Trash while awaiting permanent deletion. When an account is restored from the Trash, all associated endpoint and authentication device information stays with the account.

User deletion, user restoration from Trash, and permanent user deletion options differ depending on how the user account was sent to the Trash:

  • User accounts not managed by any directory sync may be manually sent to the Trash, restored from the Trash, or permanently deleted from the Admin Panel.

  • Users managed by directory sync may not be manually deleted from the Admin Panel. A user account managed by directory sync is sent to the Trash if the user is removed from the configured sync group (or the sync group is removed from the directory configuration). Users sent to the Trash by a directory sync may only be restored from the trash by a sync; admins may not manually restore a user account managed by directory sync. However, admins can permanently delete synced accounts from the Trash during the seven day waiting period for permanent deletion.

  • User accounts sent to the Trash due to inactivity may be manually restored or permanently deleted from the Trash by a Duo admin. If an admin restores an inactive account from the Trash but the user does not log in, it gets sent back to the Trash for inactivity the next day. If a user authenticates during the seven day waiting period for permanent deletion the account is no longer inactive and is automatically restored from the Trash.

Deleting a Single User

  1. Log into the Duo Admin Panel. Click Users in the left sidebar.

  2. Select a user from the list by clicking their username. On the properties page for that user, click Send to Trash.

    Send a User to the Trash

  3. Click the Send to Trash button on the pop-up confirmation dialog.

    Send to Trash Confirmation

  4. The user account is sent to the Trash and the user's status changes to Disabled.

    User Sent to Trash

    The user account will be permanently deleted in seven days with no further action. Viewing the user shows the expected permanent deletion date.

    User in Trash

Deleting Multiple Users

  1. Log into the Duo Admin Panel. Click Users in the left sidebar.

  2. Select multiple users (or a single user) from the Users view by clicking the checkbox to the left of the username. You can also click on the Select button and choose Select All to perform the action on all your Duo users, or click on the topmost checkbox next to the "Username" column header to select all users on the current page.

  3. Click the ... action button and choose Send to Trash.

    Send Multiple Users to Trash

  4. Click the Send to Trash button on the pop-up confirmation dialog. Note the warning that this operation won't have any effect on users managed by a directory sync.

    Send to Trash Confirmation

  5. The selected user accounts are sent to the Trash.

Restoring Users from Trash

Only users unmanaged by a directory sync may be restored from the Trash. Restoring a user returns the account to the regular Users view and unmarks the user account for permanent deletion, but does not restore user account status from Disabled to Active, so the restored users still may not log in with Duo. You'll need to change the restored user account status back to Active (or Bypass) before the user can log in again.

  1. Log into the Duo Admin Panel. Click Users in the left sidebar, and then click the Trash view link under the user count at the top of the page.

  2. Select a single user or multiple users from the Trash view by clicking the checkbox to the left of the username. You can also click on the Select button and choose Select All to perform the action on all Duo users currently pending deletion in the Trash, or click on the topmost checkbox next to the "Username" column header to select all users on the current page.

  3. Click the ... action button and choose Restore.

    Resore Users from Trash

  4. Click the Restore button on the pop-up confirmation dialog. Note the warning that this operation won't have any effect on users managed by a directory sync.

    Restore from Trash Confirmation

  5. The selected user accounts are restored to the regular Users view and are no longer marked for deletion.

  6. Update the status of restored user account(s) to from Disabled to Active/Bypass.

Permanently Deleting Users

Accounts get permanently deleted from the Trash after seven days. You can permanently delete an account manually during those seven days if you wish. This applies to both standard deleted users and users sent to the Trash by directory sync.

When a Duo user account gets permanently deleted, any phones and endpoints not associated with another user get deleted from Duo at the same time. If the user gets added back to Duo after permanent deletion they must re-enroll their phones or have tokens reassigned before authenticating.

  1. Log into the Duo Admin Panel. Click Users in the left sidebar, and then click the Trash view link under the user count at the top of the page.

  2. Select a single user or multiple users from the Trash view by clicking the checkbox to the left of the username. You can also click on the Select button and choose Select All to perform the action on all Duo users currently pending deletion in the Trash, or click on the topmost checkbox next to the "Username" column header to select all users on the current page, but you can only permanently delete up to 100 users at a time.

  3. Click the ... action button and choose Permanently Delete.

    Permanently Delete Users from Trash

  4. Click the Permanently Delete button on the pop-up confirmation dialog.

  5. The selected user accounts (and attached phones and endpoint devices) are permanently deleted from Duo.

Changing User Status

Role required: Owner, Administrator, User Manager, or Help Desk.

A Duo user's status can be one of the following:

  • Active - The user is required to use Duo two-factor authentication at log on. This is the default status for new users.
  • Bypass - The user is not required to use Duo two-factor authentication at log on and is not subject to any policy setting restricting access. The bypass event is recorded in the Duo authentication log.
  • Disabled - The user is not permitted to use Duo two-factor authentication, and log on is denied. When a user is managed by Azure or AD directory sync, "Disabled" status is determined by the user's status in the source directory.
  • Locked Out - The number of failed Duo authentication exceed the lockout threshold defined in the Lockout and Fraud settings. This status is only visible while an account is locked out, and cannot be manually set by an admin.

Owners and administrators are able to change the status for an individual user to any of the available options. Help Desk role admins can only change a "Locked Out" user's status to "Active", and cannot assign "Bypass" or "Disabled" status.

Changing a Single User's Status

  1. Log in to the Duo Admin Panel and click Users in the left sidebar.

  2. Select a user by clicking their username. You will see the user's current status in the "Status" section of the user properties page:

    Locked out user

  3. Select the desired status, then scroll down and click the Save Changes button. Note that you cannot set the status of users managed by directory sync to "Disabled".

Changing Multiple Users' Status

  1. Log into the Duo Admin Panel. Click Users in the left sidebar.

  2. Select multiple users (or a single user) from the Users view by clicking the checkbox to the left of the username. You can also click on the Select button and choose Select All to perform the action on all your Duo users, or click on the topmost checkbox next to the "Username" column header to select all users shown on the current page (up to 100 depending on how many are shown per page).

  3. Click the ... action button and choose Change User Status.

    Change Status of Multiple Users

  4. Select the desired new status for these users and then click the Change User Status button on the pop-up confirmation dialog. Note the warning that you cannot set the status of users managed by directory sync to "Disabled".

    Change User Status Confirmation

Assigning User Status with Groups

Duo groups can be used to automatically assign a status to group members. When the status of a user is managed by a Duo group, the user's properties page indicates which group determines the user's status and the effective setting.

Group Status Override

For more information using Duo groups to control user status, see Group Settings.

When users are imported into Duo by Azure or Active Directory synchronization the "Disabled" status in Duo is determined by the user's status in the connected directory and cannot be modified from the user's properties page in the Duo Admin Panel. See our guides to Active Directory synchronization or Azure AD synchronization for details.

Activating Duo Mobile

Role required: Owner, Administrator, User Manager, or Help Desk.

Users will occasionally need to have Duo Mobile activated or re-activated on their device. For example, a new user may have a problem during enrollment, or an existing user may lose or replace a phone or tablet. Here's how to activate or re-activate Duo Mobile for a user:

  1. Log in to the Duo Admin Panel and click Users in the left sidebar.

  2. Select a user by clicking their username, then scroll down to the "Phones" section of the entry and click on the alias or number of the device you need to activate.

    Phone Table

  3. Make sure that the device's "Type" is Mobile and that the "Platform" is correct. Click the Save Changes button when you're done.

    Phone Type

  4. Once the page refreshes, click the Activate Duo Mobile (or Reactivate Duo Mobile) link in the "Duo Mobile" section near the top of the page.

    Activate Duo Mobile

  5. On the next page you can adjust the lifetime for the mobile activation code (by default these expire 24 hours after generation). Click the Generate Duo Mobile Activation Code button once you're ready to issue a new activation code for this device.

    Generate Activation Code

    Important

    This will immediately invalidate any existing Duo Mobile credentials for that device. The Duo Mobile app on that device will need to be activated with the new activation code to restore access.

  6. You can now send the user instructions to install and activate Duo Mobile. Check or uncheck the appropriate boxes and click Send Instructions by SMS.

    Send Instructions

    These instructions and links can also be copied from the Admin Panel and pasted into an email for users without SMS-capable devices (like tablets).

You can also send activation emails or text messages in batches. See Activating Users After Enrollment for more information.

Sending SMS Passcodes

Role required: Owner, Administrator, User Manager, or Help Desk.

Duo users who aren't able to receive pushes or phone calls due to spotty mobile coverage, or traditional mobile phone users who aren't able to install the Duo Mobile smartphone app may rely on batches of passcodes sent over SMS. Administrators can send new batches of SMS passcodes to their users whenever they choose. All old codes are invalidated when a new batch is sent. To send passcodes:

  1. Log in to the Duo Admin Panel and click Users in the left sidebar.

  2. Select a user by clicking their username, then scroll down to the "Phones" table on the user's properties page and click on the device you need to activate.

    Phones table

  3. Make sure that the device's "Type" is Mobile. Click the Save Changes button after making any changes.

    Change Device Type to Mobile

  4. Click the Send SMS Passcodes... link near the top of the page.

    Send Passcodes

  5. On the next page click the Send SMS Passcodes button.

    Send the SMS Passcodes

The SMS passcode batch size and other settings can be configured in the SMS passcodes section of the Duo Settings page. To get to this page click Settings in the left sidebar.

Generating a Bypass Code

Role required: Owner, Administrator, User Manager, or Help Desk.

A bypass code is a temporary passcode created by an administrator for a specific user. These are generally used as "backup codes," so that users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) can still access their Duo-protected systems. Bypass codes can also be used to allow a temporary user access to applications that don't support self-enrollment without having enrolled a device. Bypass codes expire after being used the allowed number of times, or after an administrator-defined amount of time.

You can limit your Help Desk administrators' ability to create or customize bypass codes on the Settings page.

To generate a bypass code:

  1. Log in to the Duo Admin Panel and click Users in the left sidebar.

  2. Select a user by clicking their username. Scroll down to the bottom of the user properties page and click the Add Bypass Code button. Help Desk admins won't see this button if the "Do not allow Help Desk admins to create bypass codes" option is selected on the Settings page.

    Add Bypass Code for User

  3. By default, bypass codes expire after a single use or in one hour, whichever happens first.

    Generate Bypass Code

    To change the expiration and reuse settings, or to define the bypass code (instead of letting the system generate a random string of nine digits) click the Change options link. Help Desk admins won't see this link if the "Do not allow Help Desk admins to customize bypass codes" option is selected on the Settings page.

    Bypass Code Options

    Once you've finished adjusting these options, click Generate Bypass Code to generate the bypass code.

  4. The code is generated and shown in the green bar at the top of the user properties page. It can be used immediately.

    Bypass Code Created

Viewing and Deleting Bypass Codes

To view a list of all current bypass codes by clicking Users in the left sidebar, then Bypass Codes.

Bypass Codes List

You'll see at a glance the total number of valid bypass codes and counts of "weak" bypass codes (meaning bypass codes that have no expiration). The table lists which users have been assigned bypass codes, which Duo admin created that bypass code (or "API" if the bypass code was created programmatically via the Admin API) and when the codes will expire or run out of uses. Click each type of user count to filter by that category.

To view a bypass code, click the (show) link next to the code.

To delete a user's bypass code, click the trash icon on the far right of the table. Confirm deletion of the bypass code when prompted.

View detailed information about bypass code creation and deletion events, such as whether the bypass code was manually or automatically generated, the expiration of the bypass code (in minutes), and the total number of uses for the bypass code in the Administrator Actions log.

Using Groups

Assigning Duo users to groups simplifies user management. It's especially handy for quickly defining application access or assigning user status. See the Using Groups documentation for more information and detailed instructions.

Duo's Duo Beyond and Duo Access plans let you create granular security policies and apply them to selected groups and applications. See the Policy & Control documentation for more information.

Troubleshooting

Need some help? Try searching our Knowledge Base articles or Community discussions. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free