Enrollment emails expiring


We are set to sync every 24 hours and send enrollment emails to users that have not been enrolled.
We have users calling that their enrollment link is no longer valid and has expired.

So a few questions about the enrollment email.
If a user is added by directory sync in oct they are sent an activation email. User does nothing to that email. Does Duo continuously send him updated enrollment emails as a forced or scheduled sync occurs with the option enabled to send enrollment messages?

I fear its one and done. Meaning when the user is added initially they are send the enrollment email. The system only sends the enrollment email automatically if they are “new” to the users.

If that’s the case what happens to the user if they are never enrolled?
Is it on us to remove them from the AD group to keep our user count down? Or is there a report of users that have not enrolled I can run and remove them from our group?



Hi Bjorn,

It is definitely not “one and done.” If the user does not complete the enrollment process after 30 days has elapsed, the initial enrollment link will expire and a new link is generated and emailed to the user, beginning a new cycle.

As with the initial enrollment email, email reminders containing this second link will be sent two and 10 days after this second enrollment email is sent. This cycle will repeat for a user as long as they are synced in Duo but are not enrolled. This is from our Knowledge Base article here: https://help.duo.com/s/article/3000.

The list of users who have been send enrollment emails but not yet completed enrollment can be seen in the Pending Enrollments table in the Duo Admin Panel: https://duo.com/docs/administration-users#pending-enrollments. You can also resend enrollment link emails manually from the table.