Users imported from Azure, getting "User not enrolled" error

Hello. I work at an MSP and am installing Duo for a client. This client set up the workstations for his employees who are now scattered around the country.

All users have Azure AD accounts which were successfully imported into Duo. All users have activated Duo Mobile. Duo Logon is installed on all workstations to lock those workstations. For most users, Duo is working exactly as intended, sending a push notification to their phones and letting them access their accounts as normal.

Three users, however, are receiving “User not enrolled” errors when logging into their workstations without receiving push notifications. I have sent test notifications to their phones which succeeded, sent reactivation SMS messages to their phones and had them verify the activations while I was in a call with them, checked their email addresses, and set aliases for their specific user account names, making sure that those aliases are what the user types in to log into their accounts.

I think what happened is that the original person who set up their workstations gave them local accounts, then set up unconnected Azure accounts for them, meaning that their local user account is not enrolled into Duo, causing the message. Are there any other probable causes for this?

Your best bet is to look at the local Duo for Windows Logon debug log in C:\ProgramData\Duo Security and see exactly what username the application is sending to Duo’s service, and then make sure that username exists as an alias for the enrolled Duo user.

The Duo RDP application defaults to simple username normalization, which drops any prefix or suffix on the username. So if the user was typing in joe@foo.corp the Duo application tries to match the username joe when normalization is on, so joe must exist as a username or alias in Duo.

There’s some more details about the username sent to Duo and normalization in the FAQ.