Windows Login - Duo only for admin accounts

TravisJ · ‎05-20-2021

Is it possible to roll out protection for all endpoints but only prompt for Duo when users login with an admin account? (domain admin, IT support desk, etc…)?

Amy2 · ‎05-21-2021

Hi @TravisJ,
I think you can accomplish what you’re after using Duo Group Policy, depending on which edition of Duo you are using today. You’ll need to be on at least Duo MFA edition to make use of Policy Enforcement. Please refer to our documentation for Duo Authentication for Windows Logon (RDP) Active Directory Group Policy here.

You can set up a Group Policy for the roles you would like to prompt for Duo 2FA while bypassing all other users. Read how to do that in the help article here: https://help.duo.com/s/article/3888

Our Policy & Control documentation and Duo Policy Guide may also be useful for you to check out.

TravisJ · ‎05-24-2021

Thank you! That’s exactly what I needed.

sslayton · ‎06-29-2022

What we want to happen:
We want to allow all users to RDP into the system and not have DUO pop up unless they are in one of the configured OU Groups we defined. We do want all users with Admin rights from the defined groups to have to use DUO in order to get in.

Issue we are having:
everything works as planned but with one caveat. If an user has local admin rights on a server but they are not in one of the configured OU groups, they gain access without using DUO. Is there any way for DUO to check servers for local admin accounts and force them to use DUO to gain access even if they are not in a defined group?