Can I configure different groups for different server logons?

I have configured Duo to protect server logins, and I have a question about groups.

I don’t want to show 12 phone number choices on every server at login, I’d like to configure a few groups in Duo, and assign a group access to a specific server and nothing else

1- Group1 would have access to Server1, and only the phone numbers of the members of Group1 would show on Server1.
2- Group2 would have access to Server2, and only the phone numbers of the members of Group2 would show on Server2.

Is this possible? Thanks in advance.

Phones are associated to users in Duo, and not to applications, groups, or servers.

When you say “12 phone number choices on every server at login” do you mean this happens when people are logging into different servers with the same username/account?

If you have 12 phones attached to a single user, for example, if you have the user “Administrator” enrolled in Duo with the 12 phones of all your admins who know the password for “Administrator”, then all 12 phones will be offered as login choices for “Administrator”. There is no way to limit this by another logical grouping or setting in Duo.

We encourage use of distinct accounts over shared accounts.

Hey, thanks for the reply. The number 12 was arbitrary, just tossed out for grins. The Administrator account has 4 phone numbers, as 4 of us use that credential.

I have 5 other users that must logon to a few individual servers, a couple contractors and a few users in my org that manage an application here or there. These users do not use the administrator logon, but either their personal username or a service account.

Is there a way to create a group, then apply that group to a specific server and only allow the users in that group to logon to that one server?

Yep, for that you can:

  1. create a group in Duo
  2. put Duo users into that group
  3. Have unique Duo applications for your servers (so like, for Windows, create a unique Microsoft RDP application for each server and perform the Duo for Windows Logon install on each server using the distinct application info).
  4. Apply the group which you want to be able to log in with Duo to the Microsoft RDP application used on that server in the Permitted groups setting.
  5. Users in that Duo group can log in with Duo, and users not in that Duo group receive an error telling them they don’t have access.

See Using Groups to Manage Application Access.

Well, some good and bad here.

  1. I protected another app, and selected Microsoft RDP. Duo protected the app, and it was named RDP1, as there was already one called RDP.
  2. In RDP1, I scrolled down and selected “Only allow authentication from users in certain groups”, and I selected my new group that contained a few different users, and saved.
  3. I installed the executable on my test server, and entered the Installation and Secret Keys for RDP1.
  4. When logging on, Duo does not display the group members, it still shows the 4 users from the original RDP. My first thought was, I didn’t use the new keys I just generated. I verified I copied the correct keys by comparing them to the keys shown in RDP1. They are correct.
  5. On the server, I uninstalled and reinstalled the executable, and made absolutely certain I used the new keys generated for RDP1. Upon logging on I am still seeing the 4 users from RDP, and none of the users from the new group.
  6. I checked the registry on the server, and the new keys I just generated were there as expected.

Do you have any idea what I did wrong? The process is very straightforward, just select the check box to use the group and select the group you want to use. But it doesn’t seem to work on the server.

I am not sure what you mean by “see the four users”.

The Duo Authentication for Windows Logon screen will show the authentication devices attached to a single Duo user. The authentication devices may physically belong to different humans but they would be logically associated with a single user in Duo.

Are you talking about… login tiles shown on the Windows desktop? Like this?


This isn’t controlled by Duo at all and no change to permitted groups on a Duo app would change what Windows shows before a user logs on to the system.

The Duo permitted groups restriction (and Duo authentication itself) comes into play after a user has submitted a primary username and password with success.

To reference the networking diagram shown on the Duo RDP instructions page:

The permitted groups check comes between steps 3 and 4.

Ah, thank you for that explanation. We tested a logon to the server using RDP1, which is configured so that only members of the new group can access it. The user logging on was a member of the group. It prompted her for her phone as you described.

Thank you for the assist, my question has been answered.

Thanks for trying Duo!