Solved: Sync newly created AD account immediately

Kav1 · ‎05-31-2021

hi all,

I can see the API to sync the directory requires a username be given (as per https://duo.com/docs/adminapi#synchronize-user-from-directory), to sync that specific user.

The scenario I have though is this, an AD user has just been created and I want to sync this user into Duo immediately (rather than wait 24hrs). Via the GUI you can achieve this by hitting the ‘sync directory now’ button for your configured active directory, but how do we achieve this programmatically?

What are others doing to solve this?

DuoKristina · ‎06-01-2021

If the username you specify doesn’t already exist in Duo, but matches the value of the source directory attribute you configured as the username attribute for the sync, it will create the user.

Create new user kav in AD and make the user a member of the group configured in the Duo AD sync.
Run an individual sync from the Admin Panel or with the Admin API for username kav.
Sync finds kav in the source AD directory and imports that new user into Duo. The API response indicates the user was added and includes the new user’s Duo values.

From the AD Sync info linked from the description of the sync user API endpoint:

When initiated, the individual user sync verifies that each specified user is a member of a group currently synced with Duo and then imports information for that user into Duo. If a specified user doesn’t already exist in Duo, the sync creates them using the information imported from the source directory.

If you don’t know the new username though, you can’t specify it during an individual sync. If that’s your use case, you might be interested in a delta sync (to only import changes, as opposed to a full sync). Please contact your Duo Account Executive or Customer Success Manager (if you have one) or Duo Support (if you don’t) to add your support for the delta sync feature request, or for the feature request for management of full sync via Admin API (if that interests you as well).

Duo, not DUO.

View solution in original post

DuoKristina · ‎06-01-2021

If the username you specify doesn’t already exist in Duo, but matches the value of the source directory attribute you configured as the username attribute for the sync, it will create the user.

Create new user kav in AD and make the user a member of the group configured in the Duo AD sync.
Run an individual sync from the Admin Panel or with the Admin API for username kav.
Sync finds kav in the source AD directory and imports that new user into Duo. The API response indicates the user was added and includes the new user’s Duo values.

From the AD Sync info linked from the description of the sync user API endpoint:

When initiated, the individual user sync verifies that each specified user is a member of a group currently synced with Duo and then imports information for that user into Duo. If a specified user doesn’t already exist in Duo, the sync creates them using the information imported from the source directory.

If you don’t know the new username though, you can’t specify it during an individual sync. If that’s your use case, you might be interested in a delta sync (to only import changes, as opposed to a full sync). Please contact your Duo Account Executive or Customer Success Manager (if you have one) or Duo Support (if you don’t) to add your support for the delta sync feature request, or for the feature request for management of full sync via Admin API (if that interests you as well).

Duo, not DUO.

PulkitMittal4180 · ‎10-10-2021

can we automate this, such that as soon as user is added to AD, it gets added to duo from API?

DuoKristina · ‎10-11-2021

Yes, but from outside Duo (your own program that is aware of the AD account creation and triggers the Duo API request).

Duo, not DUO.

Kav1 · ‎06-01-2021

Ah amazing, thank you Kristina! That makes sense

Regarding the delta sync via API, I asked support for it as a feature request already.