I was wondering if I could have some feedback/suggestions here,
I am in the process of deploying Duo to a client of ours for terminal server access.
To this end I have enabled AD sync between the DC on premise and Duo’s portal.
I have two AD security groups, one for requires 2FA which will have 21 users in it, and the rest of the users are in the Bypass 2FA group (approx 80 users).
I have tested, and this is working fine with the Bypass 2FA settings against the Bypass 2FA Security group, and requires 2FA against the Requires 2FA group.
My only problem with this is that the client will be billed for approx 100 user licenses when we only want to subject 21 users to 2FA, I understand that the licensing is done per user whether they are enrolled or not or subject to 2FA.
The ideal scenario is just to have the 21 users in the portal requiring 2FA, with Duo ignoring all users users and allowing them to login/auth without 2FA prompt.
Any ideas how I can achieve this or does Duo need to have all the other bypass 2FA users synced to its portal too?