Securing Domain Administrators

Our company is evaluating the product and our security department would like to use DUO for securing domain administrators logons. I don’t see that as an application (?) to secure. Sorry for such a vague question, but we are new to this.

The typical use case for Duo with on-prem Windows/AD is securing a workstation or server, and not necessarily a person.

If you are looking for an application that would prompt for 2FA when a domain admin right-clicks to run ADUC as an administrator or makes a change to an AD object, Duo does not address this today.

But, if you wanted to require 2FA when a domain admin logs on to a domain controller, we have a solution. You can learn more about what logon types we protect here.

For O365/Azure AD tenant admins, you could add Duo for login verification a few ways:

So there is a method within the DUO product to require a user to enter a passcode when logging on with a Domain Administrator level account? I see many posts were people have “implemented”, but my understanding is DUO is an endpoint product. The application would need to be installed on each server you wanted to 2FA required.

So there is a method within the DUO product to require a user to enter a passcode when logging on with a Domain Administrator level account?

No, as I said, Duo for Windows Logon protects the server/workstation, not the user.

The application would need to be installed on each server you wanted to 2FA required.

Correct, as described in the linked documentation for Duo for Windows Logon.