Users being allowed access as unenrolled, but they are enrolled

Protecting Azure AD.
Assign the policy to one user. When that user opens Outlook.office.com they are not prompted and allowed through. When checking the Duo logs, it says the user was allowed in without prompt becasue they’re unenrolled. They are enrolled however. The user management page in Duo shows zero unenrolled users. When I try to send an enrollment email to that user, it never gets sent becasue they’re already enrolled. Why are they not prompted?

This was happening because username normalization was turned off. Once turned on, it started working.