Skip navigation

Duo External Directory Synchronization

Last updated:

Learn about importing Duo users, groups, and administrators from your existing external directories into Duo.

Overview

Organizations can import users, groups, and administrators into Duo with directory synchronization from these existing external directory services:

  • Microsoft Active Directory domain (on-premises)
  • OpenLDAP directory (on-premises)
  • Microsoft Entra ID
  • Google Workspace
  • Okta

Duo regularly updates information for imported users and administrators to reflect the latest user status (when possible) and associated device information when available in the source directory. Deprovision synced accounts in Duo by disabling the external directory accounts or removing those users from the synced user or administrator groups.

Scheduled directory synchronization runs every 30 minutes for users and administrators. Run either type of full sync on-demand from the Duo Admin Panel. You can also run an individual user or administrator syncs on-demand from the Admin Panel or programmatically via Admin API.

Inbound SCIM provisioning updates occur automatically based on changes in the source directory.

Active Directory Synchronization

Duo imports users and administrators via LDAP from Active Directory domains. When configuring AD sync, you'll need to install the Duo Authentication Proxy application on a server that can connect to your domain controller.

AD Sync Network Diagram

Learn more about Active Directory synchronization.

Entra ID Synchronization

Duo imports users and administrators directly from Entra ID, without any additional on-premises software installation.

Entra ID Sync Network Diagram

Learn more about Entra ID synchronization

Google Synchronization

Duo imports users and administrators directly from Google, without any additional on-premises software installation.

Google Sync Network Diagram

Learn more about Google synchronization.

Okta Synchronization

Duo imports users directly from Okta via inbound SCIM provisioning, without any additional on-premises software installation.

Okta SCIM Provisioning Network Diagram

Learn more about Okta provisioning.

OpenLDAP Synchronization

Duo imports users and administrators via LDAP from OpenLDAP directories. When configuring OpenLDAP sync, you'll need to install the Duo Authentication Proxy application on a server that can connect to your directory server.

OpenLDAP Sync Network Diagram

Learn more about OpenLDAP synchronization.