Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1366
Views
1
Helpful
2
Replies

Duplicate accounts and username normalization question

Go to solution
mikepiet
Level 1
Level 1

‎11-08-2021 12:02 PM

Hi,

So in testing Duo for my test tenant, I imported accounts via Azure Directory Sync. That went great.

I created a Duo protected application for my M365 cloud apps. Worked great.

So I noticed that I now have duplicate names. I see in some other posts that “username normalization” will cause this but I am not really sure which accounts I should delete.

The account that was spontaneously created works and the dir sync account shows as never authenticated. The “never authenticated” has all the relevant account info like email, first\last name etc.

So I need to enforce users using their sync’d account and not have Duo create a new account.

Do I simply turn off username normalization, delete the newly created account and have the sync’d account perform a new enrollment?

I wish there was a “merge” feature and an admin could choose which account was to be deleted etc.

Thanks!

Michael

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Amy2
Level 5
Level 5

‎11-08-2021 01:23 PM

Hi @mikepiet, yes, I’d recommend you turn off username normalization. Username aliases can be used to add multiple variations of usernames to a single user in addition. Because usernames in Duo need to be unique, you will need to delete the duplicate users before you can re-add the alternate usernames as aliases. Duo does not sync an entire directory, but rather a security group and its members, so you should be able to simply remove any users from that group in Active Directory and sync the group to Duo to mark those duplicate users for deletion.

When you sync the users from Azure Active Directory, ensure you sync samaccountname, userprinicipalname, msDS-PrincipalName and mail attributes. Any one of these can be the primary username and the others aliases, as long as the ones required are defined. In this way, with Username Normalization set to disabled (none), the username should match the correct user under most circumstances.

I hope that helps!

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Amy2
Level 5
Level 5

‎11-08-2021 01:23 PM

Hi @mikepiet, yes, I’d recommend you turn off username normalization. Username aliases can be used to add multiple variations of usernames to a single user in addition. Because usernames in Duo need to be unique, you will need to delete the duplicate users before you can re-add the alternate usernames as aliases. Duo does not sync an entire directory, but rather a security group and its members, so you should be able to simply remove any users from that group in Active Directory and sync the group to Duo to mark those duplicate users for deletion.

When you sync the users from Azure Active Directory, ensure you sync samaccountname, userprinicipalname, msDS-PrincipalName and mail attributes. Any one of these can be the primary username and the others aliases, as long as the ones required are defined. In this way, with Username Normalization set to disabled (none), the username should match the correct user under most circumstances.

I hope that helps!

0 Helpful

Go to solution
mikepiet
Level 1
Level 1
In response to Amy2

‎11-19-2021 12:36 PM

Hi Amy,

I wanted to say thank you for the reply! It was tremendously helpful.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents