Using DUO Internally as an MSP

I apologize if this question has already been answered here. I have done my best to find an answer on my own, but have been unsuccessful.

We just joined DUO as an MSP. I see that in our top-level MSP account, we have Applications and Users (and for the owner of the account there’s an Administrators section). We also created our internal account which has our NFR licenses. This internal account has Applications and Users sections as well. Here are my questions:

  1. What are the top-level Applications and Users sections used for?
  2. What are the NFR account Application and Users sections used for?
  3. Which account would we use for our internal use of DUO? The MSP account or the NFR account? This seems confusing.

Thanks in advance!


Hi Ryan,

Welcome! We’re glad to have you as both an MSP and a member of our Duo community.

To answer your questions, first it’s important to note that any account associated with an MSP Console can be flagged as an NFR. We recommend creating a sub-account for your internal use, but you could use your parent account. Most MSPs use the parent account strictly as a management tenant.

  1. The top level Applications and Users tabs can be used to deploy your internal account at the parent level. If you want to manage your internal account like you would your clients’, those tabs don’t really serve a purpose.
  2. Once an account has been flagged as an NFR (Not For Resale) account, you will use the Application and Users tabs to protect your internal applications.
  3. You can use either. We recommend using a sub-account, but we can also flag a parent account as your NFR if you prefer.

You can find more info about how to set up your NFR account in the guide available here.

Hope that helps!

Great question and great answer! Thank you to both.

I’d like to add that if you’re going to be using our API’s to automate admin functions, you’ll want to protect the “Accounts API” and the “Admin API” at the parent level. When you do, you can then use our APIs to perform admin functions on sub-accounts without having to create an “Admin API” application on EVERY sub-account.
Otherwise, if your NFR Internal Use account is set up as a sub-account, the only thing that should be on the parent level should be the correct Administrators. Admins added to the parent will share that same role across all sub-accounts.

Additionally, to add onto #3: You should only use the account for internal use that you asked to mark as your NFR account. Otherwise, you’re going to be billed for your usage.
Email for any questions of this nature or if you’d like to connect with your partner manager. Thank you!

Thank you both for your responses! These answer my questions! Very helpful!


One more question… Is there any reason to login under the internal account, or can everything that needs to be done be done from the MSP account side?

EDIT: I guess what I’m asking is, is there a separate login for users created under the NFR account or would we just use the MSP administrator user that we have? I hope that is clear.

Sorry for the delay Ryan. I missed the follow up question.

All of your admins who will need access to ALL sub-accounts should only be added at the parent, and then will login at the parent level and switch to the NFR sub-account.

If you have internal IT who will only ever need to login to the NFR account, you could add them as an admin ONLY on the NFR sub-account, and they won’t have access to the parent or any other future customers in other sub-accounts.

There shouldn’t be any reason to create a duplicate admin under the NFR account for an admin who exists at the parent. Doing so could cause an error and potentially lock the admin out of both accounts.

Feel free to email for any pressing concerns to receive a potentially quicker response. Thank you!

1 Like