Duo Users 2FA for AD Security Group Only, ignore 2FA for users outside of this group


Hi all,

I was wondering if I could have some feedback/suggestions here,

I am in the process of deploying Duo to a client of ours for terminal server access.

To this end I have enabled AD sync between the DC on premise and Duo’s portal.

I have two AD security groups, one for requires 2FA which will have 21 users in it, and the rest of the users are in the Bypass 2FA group (approx 80 users).

I have tested, and this is working fine with the Bypass 2FA settings against the Bypass 2FA Security group, and requires 2FA against the Requires 2FA group.

My only problem with this is that the client will be billed for approx 100 user licenses when we only want to subject 21 users to 2FA, I understand that the licensing is done per user whether they are enrolled or not or subject to 2FA.

The ideal scenario is just to have the 21 users in the portal requiring 2FA, with Duo ignoring all users users and allowing them to login/auth without 2FA prompt.

Any ideas how I can achieve this or does Duo need to have all the other bypass 2FA users synced to its portal too?



Hi, one possible solution would be to configure AD sync to only synchronize the group with the 21 “require 2FA” users in it and then set your application or global new user policies to bypass 2FA for unenrolled users. While this would reduce your licensing, please note it is also less secure than requiring 2FA for all users.



Thanks for the suggestion, I had attempted this previously as I thought that was a good way of achieving this, when I set it up how you described any unenrolled users that I didn’t want 2FA setting up against where getting a message saying ‘you are not authorized to use this application’ type message oddly, even though I had set the policy to skip 2FA for unenrolled users?



Hm, that’s not how it should work. I’d recommend double-checking your application or global policies to ensure that they’re set up properly. Our Policy Guide may also help.

If you’re unable to resolve the issue on your own, please contact Duo Support.

  1. Make sure to completely delete the users that won’t be using Duo from Duo. Delete that group of 80 from the directory sync config, run the sync to put those user into the trash, and then go into the Trash and permanently delete those users.

  2. Also make sure you did not specify a group in the “Permitted Groups” option on your application in Duo. It seems like this wouldn’t even be necessary, if every Duo user that remains will be accessing the application.



I’ve been able to get this working thanks to your suggestions, thank you so much for the help with this.

Kind regards,