Account and Subnet Bypass Policy

We have OWA protected by Duo. AD users are placed inside a “Duo Security Users” group and that group is synchronized into Duo Admin. That group provides access to the OWA Application. We have a Local Subnet Bypass policy configured that bypasses 2FA if OWA is accessed from a device inside the local network. This all works great. My question is this. I removed the Domain “Administrator” account from the “Duo Security Users” Group and that account is no longer synced into Duo Admin. After I did that, the Administrator was no longer able to login to OWA EVEN though subnet bypass is enabled. Does a user account have to exist despite having a subnet bypass set? I was under the impression that since a subnet bypass policy was set, that ANY user, despite NOT having an account synced into Duo could access the application because 2FA is ignored for that subnet. Perhaps I’m not correct and ANY user needing access to OWA must have an account in Duo and that a Duo license will be consumed by that account despite having subnet bypass policy applied. If I add the Administrator account back into the group and synch it, then that user can login to OWA.

How long ago did you remove the Administrator account from the synced group? Duo puts a user removed from a sync group into a pending deletion state and prevents login as that user for seven days before permanently deleting the user. If that Administrator user is still sitting in Duo pending deletion, it is correct that you can’t log on as that user even when the subnet would otherwise permit bypass.

You can visit the “Trash” user view to delete that user account from Duo before the seven days are up. Learn more about deleting synced users here.


Thank you! This is exactly what was happening. I didn’t notice that the account dropped into trash and had to be permanently deleted before it would allow the login.


Glad to hear that solved your issue.