Activation vs Enrollment emails


whats the difference between Activation emails vs Enrollment emails ?


Enrollment = when a new Duo user is added to Duo, along with devices used to authenticate.

Activation = Configuring the Duo Mobile app for Duo Push notifications.

If you take a look at our enrollment guide…

The steps where the user picks the device type and enters the phone number is enrollment. With that, the user has a phone number for callback or SMS authentication.

The step where the user scans the QR code from the Duo Mobile app is activation. After that, the user can approve Duo Push requests from that phone and use the Duo Mobile app to generate passcodes.

Take a look at our KB article What is the difference between Duo enrollment and activation? for additional clarification. The knowledge base is free and public and a great resource for frequently asked questions about Duo.


Lets consider this scenario

  • sync users to DUO using directory sync feature
  • Those users are automatically sent enrollment emails
  • One of the user added a feature phone (Don’t support DUO App)

In this scenario does the user account show as “Successfully enrolled but not activated” is this correct ?


If the user has a device for authentication the user is fully ENROLLED, whether it is a landline, feature phone, smartphone, etc.

ACTIVATION of the Duo Mobile app is optional, but encouraged for smartphone users so they can use Duo Push or app passcodes instead of phone call/SMS.

Yes, in your example scenario the user is enrolled. You cannot send an enrollment to the user who is already enrolled. You can send them an activation message for the mobile app.


if i reset the AD Sync & remove all those users sync from AD, then again sync them, does this work around provide sending re-enrollment emails again to those i’ve already sent initially ?


If you take the following actions:

  1. Delete the currently configured directory sync.
  2. Delete all formerly synced users (a two-step process; move to trash then delete from trash).
  3. Create a new directory sync, and check the box to send enrollment emails, and do not check the box to import phone numbers.
  4. Run the sync.

Then yes, the previously enrolled users would no longer exist, so when the sync process creates them it will email out an enrollment link (and during enrollment one step is activating the Duo Mobile app).

As before, once the users enroll you cannot send another enrollment link.

What are you seeking to accomplish? There may be a better way to do it if we understood your reason for wanting to have enrolled users enroll again.

Deleting users synced from AD

During our initial DUO setup, it’s mistakenly configured to send automatic enrollment emails to all directory sync users without properly enabling the 2FA in the org. Now we try to send enrollment emails to pilot users for which Duo is sending enrollment emails only to the newly synced / un-enrolled users.

we are trying to achieve to send enrollment emails to pilot users who got enrollments earlier during erroneously done AD sync.


Oh, ok. So, yes, you should probably run through the cleanup steps in my previous comment to completely purge the sync and the erroneously imported users, and then create a new sync, only syncing over a group of pilot users.

Meanwhile, change the new user policy to the “Allow access without 2FA” setting globally or in policies assigned to your pilot applications.

The net result of this is that members of the pilot group will use 2FA to access the pilot applications, and all other users can access the applications without 2FA.

Then, as you expand your Duo deployment, just add more groups to your AD sync configuration (or add more users to the AD pilot group).

Finally, flip the switch to require 2FA for everyone by changing the new user policy back to the default “require enrollment” setting.