Monitor Users Placed on Bypass

bmcd113 · ‎06-01-2023

Has anyone successfully setup a way to monitor and get alerts generated to an email or ticketing system if a user is placed on bypass for an extended period of time?

We are an MSP and our techs will commonly place users on Bypass, and many times they forget to put the user back into an active status.

Let me know if anyone has had any luck with this!

raphka · ‎06-04-2023

Hi bmcd113, Welcome to the Duo Community!

You can automate something like this by running reports on bypass users using the API and filtering for the Bypass status on users.

The output could then be exported/integrated with your mailing systems.

Duo does not write custom code, however Duo Security has demonstration clients available on Github to call the Duo API methods. Examples are available in: Python, Java, C#, Ruby, Perl, and PHP.
You can repurpose these to your requirements.

I will however note that Bypass mode is not intended for temporary bypass for a user that does not have their usual 2fa device, and is a security risk when used in this manner as it will also bypass policies as per the docs.

I recommend you make use of Bypass codes instead for this purpose, these can be set to expire after some time or number of uses. Bypass codes are much more secure and are subject to policies.

Finally, it is also possible to prevent your Helpdesk and User Administrators from putting users in the bypass mode to prevent accidental use of bypass status intended for service accounts or automated systems where 2fa is not possible.

richardjs · ‎08-29-2023

Can you advise what the api call is for bypass please?

DuoKristina · ‎08-30-2023

If you look at the Admin API "Retrieve Users" response you'll see `status` listed as one of the parameters.

Duo, not DUO.