If you're creating a new Azure connection then you'll be redirected to the Azure AD portal to authorize use of Duo Azure AD Sync in your tenant. You will not be asked to perform the Azure app authorization steps again, and will skip directly to the directory details page where you can configure your synced attributes and other sync properties. Select an existing connection to use for this additional directory sync, and then click Continue. Your available Azure AD connections will show up in the drop-down list when you choose the Reuse existing connection option. If you've already set up an Azure AD sync directory in Duo with your Azure tenant and want to add a second sync for that same tenant you can choose to reuse your existing Azure connection instead of authorizing a new one. Select Add New Connection on the "New Azure AD Sync" page and click Continue. If this is the first Azure directory sync you've created then you must create a new Azure AD connection. While on the Azure Active Directory tab click the Add New Azure Active Directory Sync button. If you have any existing directories configured to sync with Duo, they'll be shown here. Then click Directory Sync on the submenu or click the Directory Sync button on the Users page. Log in to the Duo Admin Panel and click Users in the left side bar. To start setting up Azure AD synchronization: An application where users sign in with an Azure AD UPN as their username.Administrator access to the Duo Admin Panel as an Owner, Administrator, or User Manager (see Admin Roles for more information).Azure AD groups populated with users to sync.This service account may or may not require Azure MFA for admins at login ( learn more about the baseline MFA policy for Azure admins). This account needs the Azure Global Administrator role during Duo setup, but you can reduce the service account's role privileges later. A designated Azure admin service account to use for authorizing the sync.Duo supports importing users into Duo from Azure commercial and government tenants, but not from Azure GCC High tenants. A supported Azure or Office 365 subscription.Prerequisitesīefore setting up Azure AD sync, ensure you have the following:
Multiple directory syncs that use non-unique user names or the same selected groups may also produce undesired results, as each sync process could overwrite the user with different information or update the group memberships for a given user unexpectedly. Likewise, if you synchronize multiple directories and there are non-unique usernames among those directories, the net result is that there will be only one Duo user created with that username, and each sync will update that Duo user with different information. Performing a synchronization will cause the existing Duo users' information to be merged with, and in some cases overwritten by the Azure AD information, such as email addresses present in Duo changing to match the value stored in the synced directory. Suppose that you already have some active Duo users, and one or more of these users have the same username in Azure. Before executing any directory synchronization with Duo, understand the effect that synchronization can have on accounts with the duplicate Duo usernames.