Hello,

the only thing I can think of is that maybe you have configured that specific user group in multiple syncs (as described in the doc linked below) ?

Can you post that snapshot that you are referring to ?

https://duo.com/docs/adsync#groups

If thats the case then why users not part of that group also get syncing. PFA snapshot

There is no snapshot visible in your original post so no idea what your config is like. 

You say:
"Also i have tried with OU specific (security_group_dn=CN=wirelessguest,OU=Groups,DC=abc,DC=local) "

That is not relevant to AD sync config. Duo AD sync does not use security_group_dn in the config (which is an [ad_client] argument). Duo AD sync only uses a [cloud] section in authproxy.cfg.

security_group_dn in an [ad_client] section means "only allow users who exist within the DN I have defined to log in via the Authentication Proxy RADIUS or LDAP server section that uses this ad_client config". https://duo.com/docs/authproxy-reference#ad_client

For AD sync, you must select groups to sync within the Admin Panel. They are NOT selected via any text setting in authproxy.cfg. https://duo.com/docs/adsync#groups

Are you actually asking about authentication and not sync? Are you conflating these two separate configurations together?

Hi Kristina, 

Im asking for Duo-Ad sync. Also i'm attaching Tac recommendation for this problem. Kindly check and let me know what you think on it.

TAC RECOMMENDATION :

Adsync:

You are syncing users as well as their phone numbers, meaning that users synced are already enrolled since their phone number is present (again, if a user has a phone number, means they are enrolled)

You are then sending them an activation SMS, but this is only to activate push.

If you select the "send enrollment email..." at the bottom of the page in your adsync, users that come in will receive an email to enrol. However that is only if you dont sync their phone numbers.

If their phone numbers is syncing with adsync, they WILL NOT recive an enrollment email, they are already enrolled.

The users that you do not recognise are ones that have self enrolled upon accessing an application because your  new user policy dictates "require enrollmen".

Solution: 
The complete solution here is:

1- do not sync users phone number anymore
2- check the box "send automatic enrollment to synced users" in your ADsync
3- Change your "new user policy" to deny access instead of require enrolment so that new users cannot enrol themselves anymore unless they receive an enrollment email from you, or automatically from Adsyn.

Well, the information you received from TAC is correct information for Duo but it seems unrelated to your actual issue if your issue is that users are getting imported by AD Sync when you don't expect them to be, which is what you asked in your original post.

Is it that you think that users who are completing self-enrollment while logging into a protected application are actually getting synced by AD, when they are actually not managed by the sync at all?

If your actual issue is "I only want users in Duo created by AD Sync and I want to prevent any users getting created outside of AD sync via self-enrollment" then yes, the answer you got is correct for THAT scenario.

Hi,

Yes you got it right. My issue is users are not part of AD sync group are also visible in Duo dashbaord with status enrollment pending. What i can do to resolve this ?

Regarding your statement "Is it that you think that users who are completing self-enrollment while logging into a protected application are actually getting synced by AD, when they are actually not managed by the sync at all?" i need to check once.

> My issue is users are not part of AD sync group are also visible in Duo dashboard with status enrollment pending. What i can do to resolve this ?

What do you want the resolution to be?

If you do want those users to exist you should let them complete enrollment.

"Pending enrollment" for a user means that username exists in Duo but the user has no 2FA device enrolled in Duo for authentication. This is going to be the status for a user created with bulk enrollment or created by directory sync when the option to import phones is not enabled before the user was synced in to Duo.

If you don't want those users to exist at all, go into the Duo Admin Panel and delete them. Then set either your Global Policy or the policies assigned to your Duo applications and set the new user policy to deny unenrolled users, which means users can only be added to Duo by an admin or via sync.

If you try to delete a user and find you can't because they are managed by the sync, then you are syncing them and they ARE part of your AD sync group - be aware that Duo AD sync imports members of nested groups that are members of the group you select. When you view the properties of a synced user the top of the page indicates the user is managed by sync and the group info shows them as a member of the synced group and the group membership can't be edited.

When you reached out for support did you contact Cisco TAC or Duo Support? If you did not correspond with Duo Support you might want to give them a try. They are much more familiar with Duo and could tell you the exact sync status/source of the users. Duo Support has tools that aren't available to the general global TAC support teams.