Skip navigation
Documentation

Enrolling Users

Contents

Duo provides several enrollment methods to add users to the system. Self-enrollment allows users to add themselves to Duo and walks them through setting up a device for two-factor authentication. Larger organizations may prefer one of the automatic enrollment options, like synchronizing users from an external Microsoft directory. Administrators can create individual Duo users at any time (manual enrollment).

Overview

Users — and their phones, tablets, or hardware tokens — must be enrolled into Duo before they can start using the system. Enrolling may include the optional step of activating the user for Duo Mobile, which allows your users to generate passcodes from the Duo Mobile app or use one-tap authentication with Duo Push. In order to use Duo Push, users will need to install the Duo Mobile app on their devices and then add their Duo account to the app. This process will only take the user a few minutes.

Important

Duo administrator account are only used to log on to the Admin Panel. They can't be used to access devices or applications using Duo two-factor authentication. Be sure to also enroll your Duo admins as users if they need to log on to Duo protected services.

Users (identified by their usernames) are shared between applications, so a user only needs to complete enrollment and activation in Duo once to gain access to multiple applications. User access can be restricted to specific applications through group policies.

There are three methods of enrollment: automatic enrollment, self-enrollment, and manual enrollment. The automatic enrollment and self-enrollment methods save you the time and effort of manually adding your Duo users.

  • Automatic enrollment: Admins can add a group of users and then send them activation links that the user follows to complete his or her enrollment. Users are created in Duo immediately.
    • Active Directory sync: For customers who already rely on an Active Directory (AD) domain. Learn how to use AD sync.
    • Azure AD sync: For customers using an Azure Active Directory (AAD) domain as their user identity store. Learn how to use Azure sync.
    • Import users: Admin can create detailed entries for each user with a simple CSV file. See more information about importing users.
  • Self-enrollment: Users add themselves to Duo through a browser interface and step through the installation and configuration of Duo Mobile. Takes under two minutes for the user.
    • Inline self-enrollment: Features an interactive setup process that is seamlessly integrated with the user's next login. Inline self-enrollment is available for applications featuring browser-based logins as well as Duo Unix.
    • Bulk self-enrollment: SMS/email based. Available for all applications, but requires that administrators send activation links to users. Users are created in Duo before the user completes activation.
  • Manual enrollment: Admins manually add individual users and send activation links.

Duo Beyond and Duo Access Plan Users: Global Policy settings affect access to the enrollment portal. Do not apply any global restrictions that could prevent user enrollment. For example, if you configure the User Location policy setting to deny access to a country, then the policy will also block any of your users who attempt to enroll in Duo from that country via a bulk enrollment link. The New User Policy setting for the enrollment portal is always "Require Enrollment".

Automatic Enrollment

An alternative to self-enrollment is to use Duo's automatic enrollment features to create users, associate them with devices, then generate a Duo Mobile activation link for each user. The automatic enrollment features are Active Directory Sync, Azure Sync, and Import Users.

Active Directory Sync

Role required: Owner, Administrator, or User Manager.

Since many large organizations already rely on an on-premises Active Directory (AD) server to manage their users, Duo offers tools to synchronize your Duo and AD users and groups. This includes the ability to automatically send an enrollment email to every user without an attached phone who has a valid email address. Please see our Active Directory Sync guide.

Azure Active Directory Sync

Role required: Owner, Administrator, or User Manager.

Organizations using a cloud-hosted Azure directory to provide application access can import users and groups directly from Azure to Duo, with the option of automatically sending an enrollment email to every user without an attached phone who has a valid email address. Please see our Azure Sync guide.

Import Users

Role required: Owner, Administrator, or User Manager.

Duo provides an Import Users feature that can import user information from a properly formatted CSV (comma-separated values) file. The import users feature differs from bulk enrollment in that it allows the admin to supply additional user details (e.g., entries can be created already populated with a phone number and device platform, group memberships, multiple devices, etc.). Also, users imported this way can be managed from the Duo Admin Panel right away.

Although the import users function is primarily intended to add users, you can also use it to update information for existing users and to delete Duo users whose accounts are no longer needed.

Unlike bulk enrollment, the import users tool does not automatically send enrollment emails to users. Follow the Activating Users After Enrollment instructions below to send activation links to your imported users.

Self-Enrollment

Duo recommends allowing users to enroll themselves whenever possible, either using inline self-enrollment or bulk self-enrollment. In either case, users add themselves to Duo by following online instructions to install Duo Mobile on their mobile devices and add their accounts. Self-enrollment only takes two minutes and each user will only need to do it once.

Duo User Enrollment Process

See the End User Enrollment Guide for a complete walkthrough of self-enrollment.

Inline Self-Enrollment

Role required: Owner, Administrator, or Application Manager.

Inline self-enrollment is available for most web-based applications: SSL VPNs, Outlook Web Access, WordPress, etc., as well as Duo Unix applications (Duo Unix users are given an enrollment link that they can copy and paste into a web browser).

To set up inline self-enrollment for an application:

  1. Log into the Duo Admin Panel. Click Applications in the left sidebar, and then select the application whose enrollment policy you'd like to modify.

  2. Select Require Enrollment. Unenrolled users will now be prompted to enroll the next time they attempt to log in with their existing username and password.

    Require Enrollment

Bulk Self-Enrollment

Role required: Owner, Administrator, or User Manager.

If your application type doesn't support inline self-enrollment (as is the case with OpenVPN, RDP and RDGateway, certain VPN clients, and some others), then you can use the bulk self-enrollment tool to send enrollment links to your users via email. If your organization uses email filtering, be sure to whitelist the sender no-reply@duosecurity.com.

  1. Log into the Duo Admin Panel. Click Users in the left sidebar, then click the Bulk Enroll Users submenu or click the Bulk Enroll Users button near the top of the page.

    Bulk Enroll Button

  2. Type or paste in a CSV (comma-separated value) set of usernames and email addresses. The "Bulk Enroll Users" tool won't send a new enrollment email to an existing enrolled user.

    User Info in CSV Format

  3. You now have a chance to review and customize the self-enrollment email message sent to your users. Check the box to save this custom email and subject line for future use. When you are satisfied with the email message and subject line, click the Send Enrollment Links button at the bottom of the page.

    Customize Email Message and Send

  4. Users receive custom links via email which will allow them to complete self-enrollment. The enrollment link expires after thirty days.

    Enrollment Email

    Users appear listed in the "Users" section of the Duo Admin Panel as soon as the enrollment link is sent.

  5. The Pending Enrollments table shows which users created by bulk enrollment or directory sync have not yet completed enrolling their 2FA devices in Duo, along with the user's email address and the expiration date for the enrollment link previously sent. If you need to send the user another copy of the enrollment link email, click the Resend button. Resending the email does not change the current enrollment link's expiration date.

    Pending Enrollments

Manual Enrollment

Role required: Owner, Administrator, or User Manager.

Admins can add individual users and phones from the Duo Admin Panel. To add a new user manually:

  1. Log into the Duo Admin Panel.

  2. From the Dashboard page you can click the Add New... button in the top right and then click User. Otherwise, click Users in the left sidebar, then click the + Add User button or the Add User submenu item in the left sidebar.

    Add User Button

  3. Type in the username. A Duo username should match the user's primary authentication username. Duo usernames are not case-sensitive and are normalized to lowercase.

    Enter Username

    Note

    To ease the integration of your systems and Duo, different application types allow for varying degrees of username normalization. Username normalization preferences are set on the properties page for each application.

  4. Once the user is created you will see a blue bar asking you to add a phone for this user. Click the Add one link to do so.

    Add Phone Link

  5. Chose "Phone" or "Tablet," and type in the phone number (leave this field blank if adding a tablet). Click the Add Phone button.

    Add Phone

  6. Choose the appropriate phone "Type" and "Platform" from the drop-down menus and enter a "Device name" (this field can be left blank). If you know the device is a smartphone but aren't sure exactly what the platform is, choose "Generic Smartphone" and the actual platform will be set when the user completed activation. Click the Save Changes button.

    Phone Details

  7. Click the "Activate Duo Mobile" link at the top of the page. This link is only available when you set the phone type to "Mobile" and selected something other than "Unknown" as the platform.

    Activate Duo Mobile

    Then on the next page click the Generate Duo Mobile Activation Code button. By default, activation codes will expire after 24 hours. You can change the activation code expiration by entering a different value.

    Generate Activation Code

  8. Next, you'll see two text messages that you can send. The first has a link that helps the user install Duo Mobile. The second message has a code that the user can use to immediately add the account to his or her Duo Mobile app. Click the Send Instructions by SMS button to send the text messages to the user's phone. These instructions can also be copied and pasted into an email, if that's preferable.

    Send Instructions

    If the device is an iPad, Windows, or Android tablet, you can either email the activation instructions to the device, or convert this link to a QR code, which the user can then scan with the Duo Mobile app. To create your QR code, go to the Google URL shortener, paste the link into the text field, and click the Shorten URL button. When the page reloads, click the Details link next to the entry for your converted link. Google will automatically generate a valid QR code.

Activating Users After Enrollment

Role required: Owner, Administrator, or User Manager.

You can easily send activation texts or emails to users created via automatic and manual enrollment methods from the Duo Admin Panel. If your organization uses e-mail filtering, be sure to whitelist the sender no-reply@duosecurity.com.

  1. Log into the Duo Admin Panel. Click Users in the left sidebar.

  2. You'll see a notification bar at the top of the page indicating that some users who have an attached smartphone or tablet device have not yet activated Duo Mobile.

    Activation Links

    Note: A user's device must be assigned the type "Mobile" with a known device platform (i.e., any platform other than "Unknown") before that user can be sent an activation link. Users without a known platform associated with their device cannot be sent activation links. If you know that a user has a smartphone, but don't know which kind it is, choose Generic Smartphone as the device platform.

  3. Click on Click here to send them activation links in the notification bar to send activation links to your remaining unactivated users. You have the option of sending the activation links to users by either SMS or email. When you choose Email then the Duo users with email addresses who are not activated and who have a smartphone device attached are shown. If you choose SMS, all unactivated users with attached smartphones are shown.

    Select Users to Activate

    Select which users will receive activation links by checking the box next to their usernames. To select all users, check the box next to the "Username" column header.

    After selecting the desired users, you can customize the SMS or email message they will receive. When finished selecting users and customizing the email, click the Send Email to Selected Users button.

    Customize Activation Email

    Note: Users who have recently been sent activation links from the Duo Admin Panel cannot be sent a new link until the existing links expire (by default, 24 hours after sending).

  4. The selected users receive an SMS or email message with an activation link and QR code, as well as links to the Duo Mobile app for all supported platforms. Once a user opens the link on his or her device, or scans the QR code with the Duo Mobile app, the Duo account is added and the user is fully activated.

    Activation Email

APIs

Advanced customers can use Duo's Admin API to programmatically create users and devices, associate users to devices, and generate Duo Mobile activation links. Please contact us to request access to our APIs.

Troubleshooting

Need some help? Try searching our Knowledge Base articles or Community discussions. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free