Permitted Email Domains

When setting up Duo SSO, why is it that email addresses from outlook.com, gmail.com, etc work without being on the permitted email domain list.

Hi @zfortna,

The goal of Permitted Email Domains is to protect users from logging into Duo SSO sites that aren’t run by their company, to help with this we make it so that administrators must verify the email domains on their account and only those email domains are allowed to authenticate.

We had requests from multiple customers for a variety of reasons to allow for public email domains to be allowed, these are domains that are not owned by a specific organization (gmail.com, yahoo.com, etc) so they cannot be verified. We’ve typically seen this when customers have contractors or test accounts that don’t have email addresses associated with the organization but they do have an account within Active Directory.

Perfect. That was exactly what I was looking for. We have a few contractors with their contractor’s company’s email addresses in our Active Directory. In order to get them to work with Duo SSO, we would have to go through the authorization process in order to get those domains to work. Am i understanding that correctly?

That’s correct. If you want them to continue to use their company email addresses for login you’ll need to get their email domain added to your Permitted Email Domains and be validated. Alternatively you could give them an email address with a domain you’ve already validated or have them use a public email address such as gmail or yahoo.