Contents
Learn about importing Duo users, groups, and administrators from your existing external directories into Duo.
Overview
Organizations can import users, groups, and administrators into Duo with directory synchronization from these existing external directory services:
- Microsoft Active Directory domain (on-premises)
- OpenLDAP directory (on-premises)
- Microsoft Entra ID
- Google Workspace
- Okta
Duo regularly updates information for imported users and administrators to reflect the latest user status (when possible) and associated device information when available in the source directory. Deprovision synced accounts in Duo by disabling the external directory accounts or removing those users from the synced user or administrator groups.
Scheduled directory synchronization runs every 30 minutes for users and administrators. Run either type of full sync on-demand from the Duo Admin Panel. You can also run an individual user or administrator syncs on-demand from the Admin Panel or programmatically via Admin API.
Inbound SCIM provisioning updates occur automatically based on changes in the source directory.
Active Directory Synchronization
Duo imports users and administrators via LDAP from Active Directory domains. When configuring AD sync, you'll need to install the Duo Authentication Proxy application on a server that can connect to your domain controller.

Learn more about Active Directory synchronization.
Entra ID Synchronization
Duo imports users and administrators directly from Entra ID, without any additional on-premises software installation.

Learn more about Entra ID synchronization
Google Synchronization
Duo imports users and administrators directly from Google, without any additional on-premises software installation.

Learn more about Google synchronization.
Okta Synchronization
Duo imports users directly from Google via inbound SCIM provisioning, without any additional on-premises software installation.

Learn more about Okta provisioning.
OpenLDAP Synchronization
Duo imports users and administrators via LDAP from OpenLDAP directories. When configuring OpenLDAP sync, you'll need to install the Duo Authentication Proxy application on a server that can connect to your directory server.
