As I mentioned before, you can’t change the primary username attribute after syncing a directory. If you go to edit your directory to try to change the username attribute you’ll find that option is now greyed out.
Typically, a customer deletes the synced directory to change the username attribute. This action has its own caveats and warnings!
When you delete the synced directory it doesn’t delete the user accounts or associated devices from Duo. They just become unmanaged accounts.
If you create a new directory sync and specify the same user groups from the previous directory sync config, the sync process reconnects to the existing accounts and they become managed by the sync.
In your case you want to choose a different username attribute, because not all your users have
mail attribute values.
The username attribute you select could create duplicate users in your directory!
AD user has
sAMAccountName set to
mail set to
- Directory sync created the Duo user
firstname.lastname@example.org using the AD
mail attribute value.
- You delete the existing directory sync. The
email@example.com user becomes unmanaged but remains intact.
- You create a new directory sync, using
sAMAccountName as the username value and
mail as a username alias.
- You run the sync.
jfoo isn’t the same as
firstname.lastname@example.org, the sync won’t try to connect to the existing user and instead tries to create a new
email@example.com already exists as a user, it will fail to create the new
jfoo user because it can’t assign the username alias
firstname.lastname@example.org. Aliases and usernames must all be unique.
Since you have concerns about making this change in production, and because the implications of your choices may not be immediately clear, I encourage you to contact Duo Support for assistance with this migration.