Skip navigation

Using Groups

Last Updated: February 7th, 2019


Learn how to use groups to assist with Duo administration.


You can use groups to organize and manage users in Duo. For example, a group can be associated with a particular Duo application and configured so that only users who are members of that group can authenticate to that Duo application. You can change the status of a group to quickly enable or disable multiple users at once. You might also find groups useful for reporting and logging purposes, such as viewing authentication activity only for members of a particular group.

Your group memberships in Duo do not have to be mutually exclusive. Suppose that you have one application for standard use and another application for network administrator use. A network administrator could be a member of two groups, each associated with one of these applications.

The Group Management feature is part of the Duo Beyond, Duo Access, and Duo MFA plans.

Listing Groups

  1. Log in to the Duo Admin Panel and click Groups in the left sidebar.

    The Users table shows group names, the group's authentication status, the number of members, and the group's description, if you entered one.

    List of Groups

    Click the Export button in the upper right side of the log display and select CSV to download information about your Duo groups. The resulting file contains details about the groups and the users in each group. No details are exported for empty groups.

    You can also select Print to print the current page.

  2. Clicking on a group's name displays details about that group, including status and administrative unit information. Scroll down to the bottom of the page to view the group members.

    Group details

Creating a Group

Role required: Owner, Administrator, or User Manager.

You can create Duo groups in three ways:

  • With the Duo Admin Panel, documented below.
  • With a CSV import of users with groups, see Importing Users.
  • With an automated sync of groups from an existing Azure AD or on-premises Active Directory instance. Note that members and some other properties of Duo groups synced from an external directory cannot be edited from Duo.

You can review the current state of all groups from the Groups page.

New Group Button

To manually create a new Duo group:

  1. Click Add Group from the Groups page. From the Dashboard page you can click the Add New... button in the top right and then click Group. Otherwise, click Groups in the left sidebar, then click the + Add Group button or the Add Group submenu item in the left sidebar.

  2. Then enter a unique name for the group. You can optionally add a description for the group; this can be particularly helpful if you have numerous groups because you can sort them alphabetically by description.

    Create a Group

  3. Click Add Group to create the new group.

Group Settings

Role required: Owner, Administrator, or User Manager.

Once you add a group, you'll be able to set its status:

Group Status

Note that there can be differences between the group status and an individual user's status. Duo compares the individual user's status and the status of all groups that user belongs to when determining the effective status.

For example, a group could have a status of Disabled and a user who is a member of that group could have a status of Active. The effective status of that user is Disabled. Conversely, if a user is Disabled and is added to a group whose status is Enabled, that user remains Disabled.

Bypass status means that the user is not required to use two-factor authentication and is not subject to any policy settings restricting access when logging on to a protected resource. When a user's status is Bypass but the user is a member of a group whose status is Disabled, or if the user is Disabled and is a member of a group that is set to Bypass, the user's effective status is Disabled. Bypass status of a user or group takes precedence over Active status of a user or group. If a user is a member of a group with Bypass status and a group with Active status, then the Bypass status is effective and the user is not prompted for two-factor authentication.

The Locked Out status overrides any other group or user status. Users can be unlocked from the Duo administrative interface. Lockouts occur when a user exceeds the allowed number of failed authentication attempts.

User Status Group Status Effective Status
Locked Out Any Locked Out - user cannot authenticate
Disabled Any Disabled - user cannot authenticate
Any Disabled Disabled - user cannot authenticate
Bypass Active Bypass - two-factor authentication not required
Active Bypass Bypass - two-factor authentication not required
Active Active Active - require two-factor authentication

If the group status overrides the user status, there will be a special display on the user page indicating this.

Group Status Override

The "Status" column on the Users page lists the effective status for each user as well.

Using Groups to Manage Application Access

Role required: Owner, Administrator, or Application Manager.

You can allow all groups to authenticate to a particular application, or you can allow just one or more selected groups to use that application. Click on the application of interest from the Applications page (or search the application by name from the search bar at the top of the Admin Panel) to reach the application's properties page. Check the box for Permitted groups, and select the groups permitted to use that application. Saving this change blocks Duo users who aren't members of the selected groups from accessing that application.

Permitted Groups

Note that when this setting is configured it only applies to Duo users with Active status.

Adding Users to Groups

Role required: Owner, Administrator, or User Manager.

Before adding users to a group with Active status you may first want to set group restrictions on your applications.

When you create a new user in the Duo Admin Panel you can specify group membership.

When using directory synchronization with Duo, you have already imported users and their groups as part of the group synchronization process. When Directory Sync manages a group, membership of that group cannot be edited from the Duo administrative interface.

A Duo user can be a member of up to 100 groups.

Add Existing Users to a Group

To add one or more users to a group:

  1. Click Users in the Duo Admin Panel.

  2. Select individual users from the Users page by checking the boxes in the left-hand column (or use the Select (0) button to select all of your users).

  3. Click the bulk action button (...) and then click Add to Group.

    Adding Users to Group

  4. Choose the desired group from the list (you can type in a group name to filter the list), and then click the Add to Group button.

    Select Destination Group

Alternately, to manually add a single user to one or more groups, you can click to view that user from the Users page, then add that user to the desired Duo groups.

Import Users to Groups

You can create new groups and update memberships of existing groups through the Import Users feature. Please see the Import Users page for more information.

Populate a Group Using Directory Sync

When setting up Azure or Active Directory synchronization to Duo, you select one or more domain groups to sync. If a group already exists in Duo with the same name as a directory group chosen for synchronization, Duo updates the existing group members to match the group members in the external directory. Once the group is synced, the group's name and members cannot be modified from the Duo Admin Panel.

Deleting a Group

Role required: Owner, Administrator, or User Manager.

To delete a group:

  1. Click Groups in the Duo Admin Panel. Click on the name of the group you wish to remove, and then click the Delete Group link to the far right of the group name.

  2. Confirm deletion of the group.

    Confirm Group Deletion

  3. The group is deleted.

Groups that are configured in a directory sync cannot be manually deleted from the Duo Admin Panel as long as the directory sync exists.

Restricting Authentication Methods for Groups

If you're on the Duo Access or Duo Beyond plans, use the policy editor to change the "Authentication Methods" policy setting globally or for specific applications and groups of users. See the Policy & Control documentation for more information.

For more information on globally enabled or disabled authentication methods, see the Authentication Methods documentation.


Need some help? Try searching our Knowledge Base articles or Community discussions. For further assistance, contact Support.