Please, please could we get the option to deny the permission for admins with the “User Manager” role to set users to bypass mode? Or at least a radial button in the Duo Admin Portal under Settings to DISABLE the option of Bypass Mode altogether?
We have many systems administrators in our organization, each responsible for a branch of the organization. They need to be able to manage the users under their branch (hence the User Manager role). However, we have a strict enterprise policy of not allowing any user to be able to bypass Duo. They can get a temp bypass code no problem but we don’t want them to be able to bypass mfa.
For now our workaround is to use a Splunk integration which triggers a script to reset a user to Active based on a Duo bypass mode event. Sometimes this can take a few minutes to execute the workflow and reset the user back to ACTIVE and that window of time is too long for our desired security posture.