Duo Directory

Last updated: August 15th, 2025

You can now use Duo as a true identity provider, offering a cloud-based user directory for single sign-on applications and advanced security like phishing-resistant MFA, passwordless authentication, and device trust and security posture evaluation.

Overview

Duo Directory extends our secure multi-factor authentication (MFA) platform with more identity and access management (IAM) and identity provider (IdP) functionality. Duo isn't just a multi-factor authentication product any more; we're your full-stack identity management solution. Duo Essentials, Duo Advantage, and Duo Premier plans can use Duo's directory features.

Duo Directory is...

Flexible

Host your users in Duo with no additional identity store required, or leverage your existing on-premises or cloud identity stores as external authentication or user import sources. Choose between traditional authentication with passwords or opt into complete passwordless authentication for different sets of users.
Compatible

With support for SAML and OIDC, you can federate almost any service provider application with Duo Single Sign-On. Perform inbound or outbound SCIM 2.0 provisioning. Just need MFA? Add secure secondary authentication to RADIUS, LDAP, API, and web applications.
Secure

We embed secure design into every layer of our product, and enable enhanced security options for you by default to protect your users, applications, and information.

Learn more about the benefits of Duo Directory.

Duo Directory Features

New features and service enhancements include:

In-product onboarding guidance
User directory with standard and custom user attributes
Breached password checking and forced password change
Passwordless new user enrollment
Disable fallback to password and enforce passwordless-only logins
Flexible temporary access for MFA or in complete passwordless flow
Dynamic routing rules for different SSO authentication sources
Sync users and groups from Okta with inbound SCIM or Microsoft Entra ID, Google, Active Directory, or OpenLDAP with directory sync
Granular enrollment policies for allowed authenticators and password requirements
Automated provisioning into Microsoft 365, Google Cloud, or other applications via SCIM 2.0

Example Use Cases

These are some sample deployment and configuration journeys for different Duo Directory use cases.

Duo as the Primary Identity Provider

Create or import Duo users.
Create Duo directory custom attributes.
Set up routing rules for multiple authentication sources (optional).
Configure an SSO application.
Review or edit policies.
Configure and apply an enrollment policy.
Enroll a new user via a prior identity provider, enrollment codes, or enrollment emails.
Authenticate to your SSO application with Duo password and MFA or with passwordless authentication.
Check administrator and authentication reporting.

Passwordless Authentication with Existing Identity Provider and Complete Passwordless

Create or import Duo users.
Create Duo directory custom attributes.
Set up routing rules for multiple authentication sources (optional).
Configure an SSO application.
Review or edit policies.
Edit the authentication method policy to disable password fallback by ensuring only passwordless methods remain enabled. Also enable bypass code passwordless method for temporary user access during passwordless authentication.
Configure an enrollment policy without a password requirement.
Enroll a new user via a prior identity provider, enrollment codes, or enrollment emails.
Authenticate to your SSO application with passwordless authentication.
Check administrator and authentication reporting.

Automate Provisioning of Users and Groups from Duo into Applications

Create or import Duo users.
Create Duo directory custom attributes.
Configure an SSO application.
Set up automated provisioning into Microsoft 365, Google, or SCIM 2.0 supported applications.

Use Duo SSO and/or Passwordless with Microsoft 365

If you would like to use Duo SSO and/or Passwordless with Microsoft 365 without an on-premises Active Directory, you must set up automated provisioning for Microsoft 365 for all users. This ensures that the required "Entra Federated User ID" attribute exists for your Duo users.

See the Entra ID information in the Duo Passwordless and External Identity Providers documentation for more details about this use case.

Create or import Duo users.
Create Duo directory custom attributes.
Create a Microsoft 365 SSO application and federate Microsoft 365 with Duo SSO.
Set up automated provisioning for Microsoft 365.
Review or edit policies.
Configure and apply an enrollment policy.
Enroll a new user via a prior identity provider, enrollment codes, or enrollment emails.
Authenticate to Microsoft 365 applicatiosn with Duo password and MFA or with passwordless authentication.

Guided Onboarding

We recommend that you follow the in-product onboarding guidance as you begin your Duo deployment. Please see the Getting Started guide for more information.