Excellent, so you definitely have some flexibility on how to approach this.
In your case, it still sounds like your best and the least complex approach is to set your new user policy for each application to “Allow” and then ensure that the groups you’ve selected to sync with Duo do not contain any student accounts or accounts that you do not want to require 2FA or enrollment. This essentially creates an opt-in experience: Any username that Duo doesn’t know about will not be prompted for 2FA OR enrollment. If you decide to require Duo for additional user audiences, simply add them to one of your Sync’d groups and they will be prompted to complete inline enrollment the next time they login to a Duo protected application (or they could click on an enrollment e-mail link).
** Keep in mind that those partially enrolled users still consume a Duo license!
A second approach would utilize Group Policies.
Let’s say you have your group of users that you want to require and enforce 2FA. We’ll call this group “Duo-2FA-Enforce”.
We don’t want to require users who are not part of this group to have to 2FA or enroll. To accomplish this we will set an Application policy with the “Group Access Policy” set to “Allow Access Without 2FA”.
Next, while still within the application properties, we’ll create a Group Policy and name it “GP-Enforce-Duo”. We’ll then select the “Duo-2FA-Enforce” group as a target group for this policy. This policy with have the “New User Policy” set to Require Enrollment and the Group Policy to “No Action”.
Since group policies override application policies, users who belong to “Duo-2FA-Enforce” will be prompted to 2FA or to enroll. The application policy then applies to everyone else logging into the application, so users who do not belong to our “Duo-2FA-Group” will not have to 2FA or enroll.
The drawback with this approach becomes determining when a user or group of users has completed enrollment. If you happen to sync in additional new AD groups and have enrollment e-mail enabled, 2FA or inline enrollment will not be required until you modify the group policy to also target those newly imported groups. Users could still of course enroll at any time by clicking the link in the enrollment e-mail. This provides a grace period between when a user enrolls and when they may begin to actually see 2FA when logging into an application.
Hopefully this provides some food for thought!