Multiple emails for single user

I am setting up a Duo environment for our users. All of our users have 2 email addresses, formatted as follows: and
Our on-prem Exchange is set up to give every account both emails as an alias for the same account. For the sake of Duo’s SSO, I am syncing users based on the “mail” atribute of the account in AD. This attribute picks a “default” for each user based on the Exchange setting and is not the same for every user (one user may have and another user may have
I would like to have our Duo set up to accept either as a valid email for all users, despite what the “default” email is. We are working to move all of our users to use primarily (since most of our users are currently on but we don’t have a timeline on that, nor will just go away.
Does anyone have any ideas on how to add multiple emails for a single user?

Hi Drew_Nolen, Welcome to the Duo Community!

When you look at a user object in Duo, the Email field is only used to send Enrollment or Activation emails to the users. It is not used as a username.

The username and alias fields are usernames.
As such if you modify your sync to contain the attributes used as email2 for an alias field, your users will be able to sign in with those alternate emails.

Please see the Duo Alias configuration guide below:

If this is for logging in with Duo SSO, the email domain will also need to be verified in your Duo SSO Authentication source configuration.

Yes, this is for Duo SSO. I have verified both of the email domains in my configuration. Can users have 2 email addresses which they use to log into Duo SSO?

For Duo SSO there are two different parts to this:

  1. The Duo user must have both email addresses set as username or username alias (as @raphka described) to be able to match the email username received by Duo to an existing user.

  2. If you are using AD authentication for Duo SSO, you also need to configure the list of AD attributes that contain the email addresses for your users. The default is to just search the mail AD attribute values for a match. If you have alternate email addresses for your users stored in a different AD attribute then you would need to add it to the list of email attributes for SSO. I don’t believe this supports multivalued AD attributes like the proxyAddresses attribute.

1 Like