User status reports

I need to present user data to mgmt , since we are having issues with too many users enrolled.
maybe i just overwhelmed by the options.
i have users that are disabled from AD and users that have never authenticated into DUO , but then i have users that are in both categories of disabled /never authenticated. so there is overlap.

How do I present this?

Hi @tippet5x, great question! Thank you for starting this discussion in the Duo Community.
We recommend something like this that shows the number of enrolled users, the percentage of licenses those users consume, and the number of partially enrolled users (i.e., users who have a username in Duo but no 2FA device associated with their account).

Screen Shot 2021-04-22 at 11.54.32 AM

It sounds like you might be looking to clean up users to free up some of your licenses. If that is the case, you might want to present the number of users who can be removed compared to your license count.

One place to start would be removing all users with a status of Disabled. This will help you narrow things down from three groups to two, so you are only dealing with fully enrolled and partially enrolled users. From there, you can determine whether to push the partially enrolled users to complete enrollment, remove them from the system, or leave them in if you wish.

How are you managing your users today? It sounds like you are using AD sync from what you’ve shared here. Do you have an offboarding process in place today to remove users from AD groups as they leave the company? This will help a lot with managing users and licenses going forward!

P.S. Following up with some additional information from the Duo team. Here are the three main categories of users we’d advise you to look at and how to do so:

  • Users in a Disabled state - This can be found by filtering for users with the status “Disabled.” These users can easily be eliminated because, given their status, there is already a reason they do not and should not need Duo.
  • Not Enrolled Users - This can be found by clicking on “Not Enrolled” under the User tab. You should investigate why these users haven’t enrolled a 2FA device before taking any action. It’s very possible these users don’t need Duo and should no longer get synced from AD (especially if their last login is “Never authenticated”). But it could also be a sign that they need to encourage users who should be using Duo to complete enrollment.
  • Inactive Users - This can be found by clicking on “Inactive Users” under the User tab. :warning: You should be most careful about removing users from this group, because anyone who hasn’t used Duo in 30 days is automatically placed there. If users may be expected to go 30+ days without needing to use Duo, then you may want to manually filter the “Last Login” date for a more appropriate window

And finally, a few important reminders about Duo:

  • AD synced users must be managed in AD (i.e., if you want to disable or delete a user, it must be done from AD, not the Duo Admin Panel)
  • The only status that does not consume a license is “Pending Deletion,” so you’ll need to actually remove the user from AD sync (and not just disable) to free up the license.