Duo for Windows Logon on an Azure-joined Windows client not working

I want to have 2FA after the login prompt for Azure-joined Windows client,
I follow the instruction below, but still doesn’t work (error “The username you have entered is not enrolled with DUO Security”).

Any advice? Is there any where I can see what username is sent to the duo security? Cannot find any log in the report section.

Thanks and have a nice day.

Hi @weixing73 ,

Welcome to the community!
I’ve run into this issue a couple of times and this is what has helped me:

  1. In the Duo Authentication Log you may see failed logins that show “Deny unenrolled user”
  2. If you check the C:\Users\ directory you can probably grab the username from the sub folder
  3. If you have an RMM that shows the last logged in user it will often show up there

Format that I’ve found for the username is usually:

You can also add upto 8 different aliases on a user, so you can add a couple of different combinations for it to look for.

To clarify, our default New User Policy is set to Deny access to unenrolled users, which is why that probably shows up in our authentication logs.

Finally make it work. Need to set the “New User Policy” to “Allow access without 2FA”, so I can capture the actual username in the “Authentication Log”. I set it back to “Deny access” after I capture the actual username.

Anyway, the format for my case is: azuread\[displayname]

Thanks for the help and have a nice day.