Admin permission granularity

We struggle with Duo’s native permissions and the lack of granularity or customization.

Two common pain points, User Managers can put a user in Bypass (we’d prefer only administrators can do this), and the Billing Admin role cannot see the Accounts tab to view user counts per organization we manage (MSP).

Is there something I’m missing or are there any plans to address this in the future?

Also, we’d love it if users did not have to be admins in our tenant to support client tenants. They should be defined in our tenant, but not have any rights to our tenant unless expressly given.

Hi Adam, and welcome to Duo Community! Thank you for sharing your feedback and question here. I apologize that I did not see your initial post until now.

You’re correct that Duo roles include a predefined set of permissions and are not customizable. As far as I know, there are no plans to address this in the future, but you can make a feature request through the official channels to show your interest.

I am not an expert when it comes to MSP accounts, but I believe this possible today. Duo Support can walk you through the process to accomplish this, or someone in our MSP forum may be able to tell you.