Does Duo support user “run-as” and RSAT commands in AD with elevated rights? If so, are there instructions on how to set this up.
I am looking to support Active Directory Administrators with MFA for when they use administrative tools with their Server Admin account or running commands using run as and their AD admin accounts.
This FAQ item may answer your question:
What logon interfaces can Duo protect?
Duo Authentication for Windows Logon provides two-factor authentication for RDP and local console logons, and credentialed UAC elevation prompts (e.g. Right-click + “Run as administrator”).
Duo’s Windows Logon client does not add a secondary authentication prompt to the following logon types:
- Shift + right-click “Run as different user”
- PowerShell “Enter-PsSession” or “Invoke-Command” cmdlets
- Non-interactive logons (i.e. Log on as a Service, Log on as Batch, Scheduled Tasks, drive mappings, etc.)
- Pre-Logon Access Providers (PLAPs) such as Windows Always On VPN
- RDP Restricted Admin Mode
Enabling UAC elevation protection is a checkbox in the Duo installer, described in step 6 here:
So, if your admin uses have RSAT tools installed locally, and launch a tool like ADUC as an administrator (vs as a different user), there could be a Duo prompt on elevation.