Exclude Group on one Endpoint?

JuniorSA · ‎10-16-2020

I have Duo Authentication for Windows Logon and RDP installed on servers for a client. In our scenario we want to exclude a group of users on Server1, but still apply MFA to all users on Server2.

Is this possible?

EDIT: I wasn’t clear originally. We want to a certain group to bypass MFA on Server 1.

mkorovesisduo · ‎10-16-2020

Yep, you can accomplish this using the Permitted groups setting on an application’s properties page.

JuniorSA · ‎10-16-2020

Will using this block all users outside the permitted group or set users outside of the group to bypass?

mkorovesisduo · ‎10-16-2020

Per the docs linked above, “Saving this change [configuring permitted groups] blocks active Duo users who aren’t members of the selected groups from accessing that application.”

JuniorSA · ‎10-16-2020

Hello - I apologize, I was not clear. We want to a certain group to bypass MFA on Server 1.

mkorovesisduo · ‎10-16-2020

Ah sorry, I misunderstood your first post.

You can use an Authentication Policy to achieve what you’re after.

If server1 and server2 are separate Duo applications in your admin panel, then you’ll want to apply a Bypass 2FA Authentication Policy to the targeted group on the Server1’s application properties page in the Duo Admin Panel.

Assuming you don’t have any other policies in place at the global, application, or group level, all users would still be prompted for 2FA when accessing Server2.