Duplicate accounts and username normalization question


So in testing Duo for my test tenant, I imported accounts via Azure Directory Sync. That went great.

I created a Duo protected application for my M365 cloud apps. Worked great.

So I noticed that I now have duplicate names. I see in some other posts that “username normalization” will cause this but I am not really sure which accounts I should delete.

The account that was spontaneously created works and the dir sync account shows as never authenticated. The “never authenticated” has all the relevant account info like email, first\last name etc.

So I need to enforce users using their sync’d account and not have Duo create a new account.

Do I simply turn off username normalization, delete the newly created account and have the sync’d account perform a new enrollment?

I wish there was a “merge” feature and an admin could choose which account was to be deleted etc.



Hi @mikepiet, yes, I’d recommend you turn off username normalization. Username aliases can be used to add multiple variations of usernames to a single user in addition. Because usernames in Duo need to be unique, you will need to delete the duplicate users before you can re-add the alternate usernames as aliases. Duo does not sync an entire directory, but rather a security group and its members, so you should be able to simply remove any users from that group in Active Directory and sync the group to Duo to mark those duplicate users for deletion.

When you sync the users from Azure Active Directory, ensure you sync samaccountname, userprinicipalname, msDS-PrincipalName and mail attributes. Any one of these can be the primary username and the others aliases, as long as the ones required are defined. In this way, with Username Normalization set to disabled (none), the username should match the correct user under most circumstances.

I hope that helps!

Hi Amy,

I wanted to say thank you for the reply! It was tremendously helpful.

1 Like