Thank You, Kristina.

Regards
Vignesh

We have the Username attribute as EMAIL, Will that be a concern?. I had tried to Sync a User without email and it failed. Once I had the mail attribute populated in AD, I was able to sync the user. Any thoughts?

Yes, that is your issue. The username attribute can’t have no source value, or else it’s impossible to create the user. If you create a user without the AD mail attribute populated, and your primary username attribute is email, there is no way to create the Duo user (because there is no information in the email attribute to use for the username).

You should choose an attribute that will always exist, like userPrincipalName or sAMAccountName as your primary Duo username source attribute, and then you could add the mail attribute as a username alias. Since you can’t change the primary username attribute after a sync, this would require some manual migration steps on your part. You can learn more about those migration steps in this KB guide, or contact Support.

Hi Kristina,

If we unsync and resync the User groups to modify the Username field, Will this have an effect on the Users who are already added to the Duo using the AD sync?.We are in Production now, so just wanted to have a confirmation.

Regards
Vignesh

Get Outlook for Android

As I mentioned before, you can’t change the primary username attribute after syncing a directory. If you go to edit your directory to try to change the username attribute you’ll find that option is now greyed out.

Typically, a customer deletes the synced directory to change the username attribute. This action has its own caveats and warnings!

1. When you delete the synced directory it doesn’t delete the user accounts or associated devices from Duo. They just become unmanaged accounts.

2. If you create a new directory sync and specify the same user groups from the previous directory sync config, the sync process reconnects to the existing accounts and they become managed by the sync.

HOWEVER!!!

In your case you want to choose a different username attribute, because not all your users have mail attribute values.

The username attribute you select could create duplicate users in your directory!

Example:

AD user has sAMAccountName set to jfoo and mail set to joe.foo@example.com.

1. Directory sync created the Duo user joe.foo@example.com using the AD mail attribute value.
2. You delete the existing directory sync. The joe.foo@example.com user becomes unmanaged but remains intact.
3. You create a new directory sync, using sAMAccountName as the username value and mail as a username alias.
4. You run the sync.
   4a. Since jfoo isn’t the same as joe.foo@example.com, the sync won’t try to connect to the existing user and instead tries to create a new jfoo user.
   4b. Since joe.foo@example.com already exists as a user, it will fail to create the new jfoo user because it can’t assign the username alias joe.foo@example.com. Aliases and usernames must all be unique.

Since you have concerns about making this change in production, and because the implications of your choices may not be immediately clear, I encourage you to contact Duo Support for assistance with this migration.