New User Workflow

We’re trying to figure out the best workflow for when we get a new hire. The new machine gets Duo installed right away and the user account is protected immediately. However, doing this causes issues with them logging in for the first time since they didn’t go through enrollment. So the account is in bypass until they contact IT.

How is everyone else doing this? We’re just not really sure on the order of operations for new users yet. We’ve been using Duo for a little less than a year and are working through the growing pains.

Hi @AndrewP, welcome to the Duo Community! Great question. First, it would help to understand which application(s) you are protecting with Duo today, as this will determine what options are available to you. Since you mention installing Duo on a machine, it sounds like you may be using Duo Authentication for Windows Logon and RDP - is that correct? Can you tell me more about how you are enrolling Duo users today?

We typically recommend using inline self-enrollment whenever possible to allow users to enroll themselves in Duo. If you’re not using a web-based application that supports inline self-enrollment though, you will need to go a different route.

Bulk self-enrollment may be a good option for you. This will allow you to send enrollment links to your users. The New User Policy can remain on the default Require Enrollment. Users who are partially enrolled or unknown to Duo will be denied access to the application in cases where inline self-enrollment is not supported. Then you will need an Authentication Policy set to “Bypass 2FA” and applied to partially enrolled users to allow them through. Details about how to do that are in our documentation.

I’d recommend our FREE Enrollment Methods and Strategies course on Duo Level Up. It has a lot of helpful information and details and can guide you through creating the best strategy for your use case!

1 Like

Hi Amy, I will definitely look into Level Up! We are protecting Azure/Office 365 and Windows Login/RDP. Users are being enrolled automatically via Active Directory sync. So when they first go to login to their machine they’re unable to do so because enrollment hasn’t been completed. I’ll go through the training and see if I can come up with a better way, maybe not installing the Duo client on the machine until after they go through enrollment on office.com.

I appreciate your input!

1 Like

Does your AD have phone information for users? If so, do you import it? Do users have to contact your help desk to have the account enabled as part of onboarding or is that handled ahead of time?

If you sync users with phone information, they could at least log in to the workstation using phone or sms (if your policy allows) and then you could enable Duo self-service on your Office 365 application so the users can activate the phones for Duo Mobile.

Or, if the new employee has to contact your help desk to get their Windows logon account enabled, maybe your help desk could issue the user a Duo bypass code to let them complete that initial login, and they proceed to device enrollment?

1 Like