You are currently viewing Cisco Duo Bulk Device Enrolment Methods for Contractors

Cisco Duo Bulk Device Enrolment Methods for Contractors

  • Post author:
  • Post category:Cisco / Duo / Kelvin
  • Post comments:0 Comments
  • Post last modified:10/03/2023
  • Reading time:11 mins read

We now live in a world where we sometimes need to provide contractors, external to your business access to company resources for them to do their job. This concept is not new and for years, we’ve been coming up with new ways to accommodate temporary access to specific environments and applications for contractors. Now, it probably goes without saying but we need to ensure the confidentiality, integrity and availability of these environments and applications regardless of whether they are being accessed by employees or contractors and to do that, we are seeing added security measures such as multi-factor authentication (MFA) being added to critical resources. As a result, companies may find themselves scratching their heads, wondering how they can enable MFA for applications that are not only accessed by employees where accounts are controlled but for contractors too. Therefore, in this article, I would like to highlight how Cisco Duo can allow you to protect your most critical resources with MFA while still controlling and allowing access to contractors where required.

Now, the question I often get asked when I’m working with customers who have such a requirement is “How can I enrol contractors into Cisco Duo?”. This question is a little vague because Cisco Duo has several ways that you can enrol users and so I often like to discuss the applications that the customer is protecting and from there, discuss the authentication options that are available as a result of the application integration or authentication methods that the customer mandates. By digging deeper, we are often able to identify the most suitable user enrolment method for the customer; you can find more about enrolment methods here. One of the most suitable methods with Cisco Duo is to use the bulk enrolment feature that allows you to simply send out a generated email specific to your deployment that will allow users to enrol their mobile devices. Once their mobile device has been enrolled, users can receive push notifications to the Duo mobile application, allowing them to complete MFA when accessing applications which are protected by Cisco Duo. This is great however, sometimes I have customers looking to bulk enrol contractors that don’t have a company email address allocated because they are just temporary contractors and therefore, they are unsure how they can be enrolled for MFA. It can be a little confusing but I will address how it can be done in this article.

Scenario

Customer XYZ is protecting RDP and Windows Logon sessions with Cisco Duo and therefore anybody accessing these systems will need to complete MFA before gaining access to each protected system. Contractors also access this system using internally created user accounts in Active Directory (AD) but no internal email address is given to contractors. Customer XYZ has Active Directory synchronised with their Azure Active Directory (AAD) for other applications that employees and contractors may need to access too. The customer is using Directory synchronisation between their Identity Providers (IdP) and Cisco Duo in order to seamlessly ensure that all users which need to complete MFA are known to Duo. Customer XYZ has no problem sending bulk enrolment emails to employees because they already have email addresses assigned but because contractors don’t have an internally provided email address, they don’t know how to bulk enrol these users. Customer XYZ also assigns hardware tokens to its employees but doesn’t want to increase its operational costs by purchasing additional tokens for contractors and so hardware tokens cannot be used for contractors.

The following options address this specific scenario.

Option One | Add external email addresses to Contractor Active Directory Accounts

When contractor user accounts are created with Active Directory, it is possible to configure their external company email address in the email address field. Once these user accounts are synchronised with Cisco Duo, bulk enrolment emails can be sent to different email addresses. The userPrincipalName (UPN) will remain the same and therefore contractors will be able to login using this as their username once they’ve enrolled their mobile device.

The following is an example of the aforementioned process.

Create a contractor account in Active Directory
Once created, add an the contractors external email address in the E-mail field
Perform a directory sync with Cisco Duo

If your using an hybrid deployment and synchronising from Azure Active Directory, you may need to force the cloud synchronisation or wait until the new user accounts have synchronised successfully.

Check that the users are now within the Cisco Duo User database and confirm that the UPN and Email address are as expected
Navigate to Users > Bulk Enroll Users where you can then send enrolment emails to all unenrolled users

Option Two | Add Contractor Phone Numbers to Active Directory Account

We can add phone numbers to each contractor account and then use these phone numbers to send Duo Mobile activation links to each user. This will then allow them to activate Duo and become fully enrolled.

Add phone numbers to each contractor account within Active Directory
Synchronise accounts with Duo ensuring that the ‘Import phones’ option is selected
If your using an hybrid deployment and synchronising from Azure Active Directory, you may need to force the cloud synchronisation or wait until updates to the accounts have synchronised successfully.

In hybrid deployments you can confirm that mobile numbers have been added by checking each account in Azure Active Directory as shown below.

Note: When using this method in an hybrid deployment, I’ve had intermittent issues whereby, some phone numbers do not show. However, after ensuring that attribute mappings for ‘Phone Numbers’ are synchronised with AAD, the issue seemed to go away once I created new users. The screenshot below shows the result of a user synchronised to Duo with a phone number however, it is not shown in Duo.

Navigate to Users > Activate Duo Mobile and send an activation link via SMS to each contractor

After editing ensuring that the attribute mappings between AD and AAD were correct, I created a new test user as shown below and the phone number was mapped successfully. For customers using on-prem IdP’s only, you won’t need to perform any attribute mappings.

Option Three | Add Contractor Phone Numbers to Azure Active Directory Account

Users created in Azure Active Directory can be assigned phone numbers which in turn can be used to send contractors an enrolment link. When a phone number is added to an account and then Azure Active Directory is synchronised with Cisco Duo, each user account will show a mobile number associated with a user account which then can be used to send an activation link via email or SMS.

Create contractor user accounts in Azure Active Directory
Edit contractor user account properties and add a phone number
Synchronise Azure Active Directory with Cisco Duo

Note: Ensure that the ‘Import Phones’ option is enabled on under the directory sync.

Validate that phones are assigned to contractor user accounts
Navigate to Users > Activate Duo Mobile and send an activation link via SMS to each contractor

Option Four | Bulk enrol contractor accounts using a .CSV file

Customers can bulk upload user accounts that include emails and phone numbers using a .CSV file.

Please refer to the following documentation for more information: https://duo.com/docs/importing-users

Tags: , , , , , ,

iwiizkiid

Kelvin is a Cyber Security professional with years and experience working with organisations in different verticals, both large and small. He enjoys contributing to the Network Wizkid knowledge base and he also creates technical content. Kelvin enjoys learning new things and often does this by working on achieving new technical certifications. He holds many professional certifications and academically, he had achieved a Bachelors and Master's degree in both Computer Networks and Cyber Security.

Leave a Reply