Skip navigation
Documentation

Administrative Units

Contents

Large organizations may have delegated management responsibilities to regional, functional, or line of business IT teams. Duo's Administrative Units feature lets Duo Beyond, Duo Access, and Duo MFA customers perform logical grouping of Duo users and applications and grant management privileges to designated administrators.

Admin Roles and Units

Duo's administrator role permissions and administrative unit assignments define a given administrator's management scope. A Duo administrator's assigned role determines what actions that admin may perform, while a Duo administrator's assigned administrative unit determines which objects that administrator can manage by performing the actions permitted by the admin's role.

Administrative Roles and Units

Only Duo administrators with the Owner role may create administrative units or modify a unit's assigned administrators, user groups, and applications.

Global vs Restricted Admins

Duo administrators not assigned to an administrative unit are "global adminstrators". Global administrators may perform the management actions included in their assigned roles upon any Duo object.

Assigning a global administrator to an administrative unit revokes any management rights that administrator previously had to manage users, groups, or applications not also assigned to the same administrative unit.

Administrative Unit Examples

Regional Help Desk Rights

Acme Corp has different level one help desk teams supporting geographical regions. The US team only assists users in the United States, and the EU team only assists users in Europe. A global level two help desk team assists users in all regions. No help desk team may manage any applications.

Help Desk Example Administrative Units Scenario

Acme's global Duo owner accomplishes this by doing the following:

  1. Creating a new administrative unit called "US Help Desk".
  2. Creating a new administrative unit called "EU Help Desk".
  3. Creating Duo admin accounts for the US and EU level one team members, assigning each of them the "Help Desk" role
  4. Assigning each US level one administrator to the "US Help Desk" administrative unit.
  5. Assigning all groups that contain US-based end users to the "US Help Desk" administrative unit.
  6. Assigning each EU level one administrator to the "WU Help Desk" administrative unit.
  7. Assigning all groups that contain EU-based end users to the "EU Help Desk" administrative unit.
  8. Creating Duo admin accounts for the global level two team members, assigning each of them the “Help Desk” role. These administrators are not assigned to any administrative units.

VPN Management Rights for Network Admins

Acme Corp has a large IT workforce, segmented by function. Acme's networking team needs to manage Duo policy settings for VPN applications, but should not manage any users.

Network Team Administrative Units Scenario

Acme's global Duo administrator accomplishes this by doing the following:

  1. Creating a new administrative unit called "VPN Applications".
  2. Creating Duo admin accounts for the networking team members, assigning each of them the "Application Manager" role.
  3. Assigning each networking admin's account to the "VPN Applications" administrative unit.
  4. Assigning Duo VPN applications to the "VPN Applications" administrative unit.
  5. Other restricted Duo administrators outside the network group are not assigned to the "VPN Applications" administrative unit.
  6. No user groups are assigned to the "VPN Applications" administrative unit.
  7. Any new VPN applications created by the restricted admins in the "VPN Applications" administrative unit re automatically added to that administrative unit.

Creating Administrative Units

  1. Log in to the Duo Admin Panel as an Owner and navigate to AdministratorsAdministrative Units in the left sidebar.

  2. Click Create Administrative Unit in the upper right.

  3. Enter an Administrative Unit Name and and an optional description.

  4. In the "Administrators" section you can select each administrator you wish to assign to this new unit. For each administrator selected, you'll see that admin's assigned role and a summary of the permissions granted by that role. You may skip assigning administrators to the new unit during creation, and add the unit administrators later.

  5. The "Assignments" section is where you associate applications and user groups with the new administrative unit.

Modifying Administrative Units

  1. Log in to the Duo Admin Panel as an Owner and navigate to AdministratorsAdministrative Units in the left sidebar.

  2. Locate the administrative unit you wish to update in the list and click the View and Edit link.

  3. Make your desired changes, which could be modifying the name or description, or additions to/deletions from the administrative unit's administrator, application, or user group assignments, and then click Save Administrative Unit.

Deleting Administrative Units

  1. Log in to the Duo Admin Panel as an Owner and navigate to AdministratorsAdministrative Units in the left sidebar.

  2. Locate the administrative unit you wish to remove and click the Delete link. Confirm the deletion operation,

Understand the impact deleted administrative units has on restricted admins!

When you delete an administrative unit, any administrators assigned to that unit lose management privileges on any of the applications or user groups that were assigned to the deleted unit, unless these rights are also granted by a remaining unit.

A restricted administrator doesn't automatically revert back to a global administrator when all of that admin's assigned administrator units get deleted. Instead, that admin remains a restricted administrator, but doesn't have any user groups or applications to manage and cannot access the Duo Admin Panel.

You'll need to either assign the restricted administrator to another administrative unit, or convert the restricted administrator to a global administrator by visiting that restricted administrator's properties page in the Duo Admin Panel and changing the "Administrative units" setting to Allow access to all groups and applications.

Assigning Administrators to Administrative Units

You can assign restricted administrators to administrative units from the Administrative Units page or from an individual administrator's properties page. Restricted administrators can manage the applications and groups specified by the administrative unit.

Assigning Administrators to an Administrative Unit

  1. Log in to the Duo Admin Panel as an Owner and navigate to AdministratorsAdministrative Units in the left sidebar.

  2. Locate the administrative unit you wish to update in the list and click the View and Edit link.

  3. Select the administrator from the list in the "Administrators" section.

  4. Click Save Administrative Unit.

Assigning Administrative Units to an Administrator

  1. Log in to the Duo Admin Panel as an Owner and click Administrators in the left sidebar.

  2. Click on the administrator's name.

  3. Scroll down to the "Administrative units" section and select the Restrict access by administrative units option.

  4. Click into the text entry field and start typing the name of an administrative unit. Click the unit's name in the list to select it. Repeat this for all administrative units you wish to assign to this administrator.

    As you add administrative units to the list, you'll see the number of groups and applications this admin can access change. Click Show details to view the names of each application and user groups this administrator will be able to manage once you save your changes.

  5. Click Save Changes.

Assigning Applications to Administrative Units

You can assign applications to administrative units from the Administrative Units page or from an individual application's properties page. Applications may only be assigned to one administrative unit, but an administrative unit can include multiple applications.

Restricted administrators whose assigned role includes the right to create and delete applications can create and delete applications in their assigned administrative unit, as well as manage the applications and groups specified by the administrative unit.

Assigning Applications to an Administrative Unit

  1. Log in to the Duo Admin Panel as an Owner and navigate to AdministratorsAdministrative Units in the left sidebar.

  2. Locate the administrative unit you wish to update in the list and click the View and Edit link.

  3. Scroll down to the "Assign Applications" section and change the "Administrators in this administrative unit manage" option from "all applications" to specific applications.

  4. Choose the application(s) you want to assign to this administrative unit from the list in the "Assign Applications" section.

  5. Click Save Administrative Unit.

Assigning an Administrative Unit to an Application

  1. Log in to the Duo Admin Panel as an Owner and click Applications in the left sidebar.

  2. Click on the application's name (or use the global search bar at the top to find the application you want to change).

  3. Scroll down to the "Administrative unit" section.

  4. Select the administrative unit to want to manage this application from the drop-down list.

  5. Click Save Changes.

Assigning User Groups to Administrative Units

You can assign groups of Duo users to administrative units from the Administrative Units page or from an individual group's properties page.

Restricted administrators whose assigned role includes the right to create and delete users can create and delete user groups in their assigned administrative unit, as well as manage the groups and group members specified by the administrative unit.

Assigning Groups to an Administrative Unit

  1. Log in to the Duo Admin Panel as an Owner and navigate to AdministratorsAdministrative Units in the left sidebar.

  2. Locate the administrative unit you wish to update in the list and click the View and Edit link.

  3. Scroll down to the "Assign Groups" section and change the "Administrators in this administrative unit manage" option from "all users" to specific groups.

  4. Choose the group(s) you want to assign to this administrative unit from the list in the "Assign Groups" section.

  5. Click Save Administrative Unit.

Assigning Administrative Units to an Group

  1. Log in to the Duo Admin Panel as an Owner and click Groups in the left sidebar.

  2. Click on the group's name (or use the global search bar at the top to find the group you want to change).

  3. Scroll down to the "Administrative units" section.

  4. Click into the text entry field and start typing the name of an administrative unit. Click the unit's name in the list to select it. Repeat this for all administrative units you wish to manage this user group.

  5. Click Save Changes.

Duo Policies

Administrators restricted by an administrative unit interact with Duo policies as follows:

  • The Global Policy is read-only to restricted admins.
  • A restricted administrator may clone custom policies associated with applications not associated with that admin's unit. Edits to the cloned policy have no effect on the original source policy. The admin may assign the cloned policy only to their managed applications and groups.
  • A restricted administrator can freely edit any custom policy associated with only applications they manage, even if it is a group policy assigned to the managed application for groups the restricted admin does not manage.

Applications

Administrators restricted by an administrative unit interact with Duo applications as follows:

  • Restricted admins may only create applications in their assigned administrative unit.
  • An application may only be assigned to one administrative unit. When creating a new application, the restricted admin must select exactly one administrative unit.
  • When editing an application, restricted admins may change the associated administrative unit to any other unit they manage. Any restricted admin assigned to the original associated unit but not to the newly associated unit loses management privileges on that application.
  • Applications assigned to an administrative unit are not limited to the user groups of the administrative unit by default.
  • Restricted admins can modify and delete applications associated with their administrative unit.

User Management

Administrators restricted by an administrative unit interact with Duo users as follows:

  • Restricted admins may only list and view users they manage via a group association to their assigned unit.
  • When viewing a user, the restricted admin sees a read-only list of administrative units the user is assigned to via group membership.
  • When creating a new user, the user must be assigned to a user group that the restricted admin can manage. If no user groups exist that the restricted admin can manage, the admin must create one before attempting to create a new user.
  • The restricted admin may only add users to or remove users from groups managed by the admin's assigned unit.
  • The "Pending Enrollments" page filters out users not in the restricted admin's assigned administrative units.
  • The "Bypass Codes" page lists codes only for users in the restricted admin's assigned administrative units.

Bulk Enrollment

  • Restricted admins may not use bulk enrollment.
  • Restricted admins can not manage users created via bulk enrollment until a global administrator adds those users to a group that belongs to the one of the restricted admin's assigned units.

User Import

  • When importing or updating users via CSV import, user rows with no group specified or that specify a group or groups not assigned to the restricted admin's units will be skipped.
  • Restricted admins may not create new groups via CSV import.

Directory Sync

Administrators restricted by an administrative unit interact with Directory Sync as follows:

  • Restricted admins cannot create, edit, or delete directories, regardless of assigned role.
  • Restricted admins with roles that permit directory sync operations can view manually sync directories that maintain user membership of groups assigned to the restricted admin's assigned units.

Group Management

Administrators restricted by an administrative unit interact with Duo groups as follows:

  • When creating new groups, restricted admins must associate the new user group with an administrative unit they manage.
  • Restricted admins may not change a group's administrative unit after creation.

Device and Endpoint Management

Administrators restricted by an administrative unit interact with Device Insight and Duo endpoints as follows:

  • The "Endpoints page lists endpoint devices for only users that belong to groups assigned to the restricted admin's units.
  • The "2FA Devices" page lists secondary authentication devices associated with users the restricted admin can manage, plus all devices unassigned to any user.
  • The details page of an endpoint or 2FA device hides any users associated with that endpoint or device that don't belong to the admin's assigned units.

Phishing

Restricted admins may not create or view phishing campaigns.

Reporting

  • Authentication logs display events for users associated with the restricted admin's units.
  • Administrator action logs filter out actions on objects the restricted admin can not manage.

Troubleshooting

Need some help? Try searching our Knowledge Base articles or Community discussions. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free