Blacklisting phone numbers and IPs

Dear Duo,

Is there any way to PREVENT certain phone numbers and IPs from signing up for MFA (using the inline prompt or the self-service site) with an account?

In addition, is there anyway to LIMIT signing up for MFA to a certain IP range?



1 Like

Hey Thomas, it looks like an Authorized Networks policy would accomplish most of what you’re after. Check it out and let me know.

Thanks for the suggestion,

The Authorized Network Policy allows for “force enrolment IP range” or for IP range where all MFA is blacklisted.

But we want to have the capability to just prevent the initial enrolment by IP range, and only allow the initial enrolment event from a specific range, but afterward the MFA (regular authentication events) should be open to the user from anywhere.

I can’t think of a way to achieve this with Duo.


Hey Thomas,

That is an excellent feature request to include in the Duo Policy Engine.

While it is not possible to achieve this in that manner at this time, we do have customers restricting enrollment to internal networks using a combination of the Policy Engine and our Device Management Portal.

The first thing that you will need to do is to stand up our Device Management Portal on a non-internet exposed web server.

Next, you will want to take a look at your Duo Policy. The most important policy option for this scenario is the New User Policy. What you will want is to create an Application Policy for your new Device Management Portal integration that has the New User Policy set to Require Enrollment.

After getting that setup, you will want to to change any other Application Policies as well as your Global Policy. If you are looking to restrict enrollment to the internal networks where users can access the Device Management Portal, all other New User Policies should be set to Deny acccess

Once you make this change, you will be all set to post the URL for the new portal anywhere you’d like internally.

Hope this helps!