Skip navigation

User Attributes

Last updated:

Overview

Duo Directory includes a basic list of user attributes. Extend your Duo Directory schema with custom user attributes and populate attribute values manually or from external directories.

Default User Attributes

The default Duo Directory user attributes are:

Attribute

Description

Username

The user's primary Duo username. Typically this matches the external application username or primary authentication login name your users submit to Duo. This is the only attribute required to have a value for all users.
Display Name

The full name of the user.
Email Address

The user's email address.
First Name

The user's given name.
Last Name

The user's surname or family name.
Entra Federated User ID

Used with Microsoft 365 Duo SSO applications.
Date of Birth

The user's birthdate. Values must use the format YYYY-MM-DD if you plan to use Duo identity verification.

These default attributes also have a default to the built-in "Primary Attributes" attribute category. You may assign them to other attribute categories you create later if you wish.

View User Attributes and Categories

  1. Log in to the Duo Admin Panel.

  2. Navigate to UsersUser Attributes.

The "Primary Attributes" table shows information about Duo default attributes (indicated with a badge) and any custom attributes created without a category, such as the attribute's name, a short description, sources for attribute values, application usage, and the number of users who have values for the attribute.

All Duo User Attributes

Manage Attribute Categories

By default, your Duo account has one default attribute category defined, called "Primary Attributes". You may rename the "Primary Attributes" category to something else, or create additional attribute categories. For example, maybe you want to distinguish user attributes you import from Active Directory which are unique to AD, like msDS-PrincipalName. You can create an "AD Attributes" attribute category, and then when you create your custom attribute for msDS-PrincipalName you'd assign it to the "AD Attributes" category.

Add an Attribute Category

Role required: Owner, Administrator, or User Manager.

  1. Log in to the Duo Admin Panel.

  2. Navigate to UsersUser Attributes.

  3. Click + Add attribute category.

  4. Enter a unique name for the new attribute category and click Add.

    Add User Attribute Category

The new, empty attribute category is shown below your existing categories.

New User Attributes Category Table

Rename an Attribute Category

Role required: Owner, Administrator, or User Manager.

You may rename the default "Primary Attributes" category or any custom category you create.

  1. Log in to the Duo Admin Panel.

  2. Navigate to UsersUser Attributes.

  3. Locate the attribute category you want to rename and click Edit category in the upper-right of that table.

  4. Choose Rename category from the drop-down menu.

  5. Enter a new and unique name for the attribute category and click Save.

    Edit User Attribute Category

Reorder Attribute Categories

Role required: Owner, Administrator, or User Manager.

Change the display order of your attribute categories on the "User Attributes" page.

  1. Log in to the Duo Admin Panel.

  2. Navigate to UsersUser Attributes.

  3. Locate the attribute category you want to move on the page and click Edit category in the upper-right of that table.

  4. Choose Move up or Move down from the drop-down menu to put your categories in your desired display order.

Delete an Attribute Category

Role required: Owner, Administrator, or User Manager.

You cannot delete the default "Primary Attributes" table (even if you've renamed it).

  1. Log in to the Duo Admin Panel.

  2. Navigate to UsersUser Attributes.

  3. Locate the attribute category you want to delete and click Edit category in the upper-right of that table.

  4. Choose Delete category from the drop-down menu.

  5. If the category currently contains no attributes then click Delete. If the category does contain attributes, choose a destination attribute category for the user attributes in the category to delete under Move attributes to:, and then click Move and delete.

    New User Attribute Category

Manage User Attributes

Add a Custom User Attribute

Role required: Owner, Administrator, or User Manager.

  1. Log in to the Duo Admin Panel.

  2. Navigate to UsersUser Attributes. The attribute category tables on the page list your existing attributes.

  3. Click + Add user attribute.

  4. Enter a name for your new attribute in the Name field. The name you enter can contain a maximum of 256 alphanumeric characters, spaces, hyphens, and periods. You may also enter a description up to 256 characters.

  5. Select an Attribute category for the new attribute. The default selection is the built-in "Primary Attributes" category, even if you have renamed it to something else.

  6. Click Add Custom Attribute to save your new attribute.

This example adds a custom attribute to the default "Primary Attributes" category to hold an employee ID value.

New Custom User Attribute

Edit a User Attribute

Role required: Owner, Administrator, or User Manager.

You may not change the name or description of any default Duo user attributes.

  1. Log in to the Duo Admin Panel.

  2. Navigate to UsersUser Attributes.

  3. Locate the attribute you want to edit and click its name.

  4. Choose Rename category from the drop-down menu.

  5. You can update the Name, Description, or choose a different Attribute category if you're editing a custom user attribute. If it is a default Duo attribute then you can only choose a different category.

  6. Click Save.

Move User Attributes

Role required: Owner, Administrator, or User Manager.

Change the display order of your user attributes within an attribute category or reassign attributes to a different category on the "User Attributes" page.

  1. Log in to the Duo Admin Panel.

  2. Navigate to UsersUser Attributes.

  3. Select the user attribute or attributes you want to move in one of your attribute category tables and click Move to in the upper-right of that table.

  4. You can choose a new destination attribute category from the drop-down menu to move the selected attributes to that category, or choose to move the selected attributes up, down, to the top, or to the bottom of their current category to update the display order.

Delete a User Attribute

Role required: Owner, Administrator, or User Manager.

You cannot delete any default Duo user attributes.

  1. Log in to the Duo Admin Panel.

  2. Navigate to UsersUser Attributes.

  3. Select the custom user attribute or attributes you want to delete in one of your attribute category tables and click Delete in the upper-right of that table. You will be asked to confirm deletion of the attribute(s). Click Cancel to leave the attribute(s) intact.

Custom Attribute Uses

Import Attributes Values with Directory Sync

Your external directory sync configurations can import values for your custom attributes from external directories.

  1. When creating a new directory sync, or while viewing the details of an existing directory sync, scroll down to the "Synced Attributes" section of the page.

  2. Click the Add Attribute button and select the custom attribute you would like to add to this directory sync from the list.

  3. Enter the external directory source attribute's name in the text field.

This example imports the employeeid attribute from an external directory into Duo as the "Employee ID" custom attribute.

Custom User Attribute in Directory Sync Configuration

Add Custom Attributes to Users from the Admin Panel

You can update individual users to add additional user attribute values from the Admin Panel. Identify user attributes that were manually added by the presence of a Remove action to the right of the input field.

Role required: Owner, Administrator, or User Manager.

  1. Locate the user you want to edit using the search tool at the top of the page, or navigate to UsersUsers. Click the username to view their details page.

  2. Scroll down to and click Add Attribute.

  3. Select an available user attribute from the list.

  4. The selected attribute appears above the add button. Enter your desired value for that attribute in the text field.

  5. Scroll down and click Save Changes.

This example adds the default "First Name" attribute to the user. The "Employee ID" custom attribute has already been added to the user with a value.

Custom User Attributes in User Details

When you add a new user in the Admin Panel you can add additional attributes immediately after user creation.

Delete Attributes from Users

Delete an additional attribute from a user by clicking the Remove action to the right of the attribute's value.

Import Attribute Values from CSV Files

You can import values for any custom attributes you create via CSV file import. See Importing Users for more information.

Map Attributes from External SSO Sources

If you use an external authentication source with Duo Single Sign-On, such as Active Directory or a SAML identity provider, you can map custom user attributes to attributes that exist in your external authentication source. You can then configure your Duo SSO SAML applications to send your mapped custom attribute values from the external authentication source to the application when users sign in.

This example maps the "Employee ID" custom attribute to an employeeID attribute in an external SSO SAML authentication source.

Custom User Attribute Mapped to SSO Authentication Source

Outbound Provisioning

When configuring outbound provisioning for an application, user attributes can be mapped to application attributes. In this example, both default user attributes and the custom "Employee ID" attribute have been mapped to attributes supported by the external application.

User Attributes Mapped in Outbound Provisioning