Roll out protecting email with Duo 2FA

We’re using MS 365 so our email server is in the cloud. When we send the enrollment email to our users and require 2FA, they can’t access their email because it’s now protected by Duo. What’s the process or sequence to have users enroll while still requiring 2FA with Duo? Do we need to allow access to email without Duo at first so they can get the enrollment message, then require 2FA later? That seems like an admin headache.

Hi @willd44, how are you protecting MS 365? The Duo integration you use will determine what’s possible. In general though, you’ll want to set your New User Policy to Require enrollment. This means any users who are not enrolled in Duo will see the inline self-enrollment setup process after entering their primary username and password. Anyone who is already enrolled in Duo will be prompted to complete two-factor authentication.

Inline self-enrollment is only an option for most web-based applications, so if it’s not available to you, you will have to do bulk self enrollment via email, which it sounds like you’re doing today. In that case, yes, you’d likely need to do an open enrollment period before enabling 2FA for everyone.

I recommend checking out our Duo Policy Guide and our free course Enrollment Methods & Strategies in Duo Level Up. Hope that helps!