Duo Aliases for Department User Accounts
Duo Aliases Overview
What are Duo Aliases?
Duo Aliases enable multiple usernames to be a linked to a single Duo account. This allows the Duo account for an EID to provide MFA for secondary accounts such as a department user account.
Which department accounts can be set as an alias?
Duo Aliases are automatically configured for department user accounts and are not available for department service accounts. A department user account must be claimed for an alias to be configured. Assigning a department user account to an EID will not create a Duo alias until the account is claimed.
How many aliases can a Duo account have?
Duo accounts at UT can be configured with up to 5 aliases.
How are aliases assigned?
Duo aliases are assigned by a pair of automated processes. The first process runs each hour and links department user accounts to the EID that claimed the account. The second process runs twice daily to update Duo with aliases assigned to each account.
How Department User Account Aliases are Set
If you have claimed five or fewer department user accounts
All of the department user accounts claimed by you will be set as aliases for you in Duo.
If you have claimed more than five department user accounts
The alias-assigning process will stop processing for you once this threshold is reached
The existing aliases (if any) set for you in Duo will remain in effect
In order to change the aliases assigned to you in Duo
Are all of your claimed user accounts actually user accounts?
If any of your claimed department user accounts should actually be department service accounts, submit a request to the AD team to have them re-categorized.
After this is completed, if you have claimed five or less user accounts, the automated alias assigning process that runs hourly will resume configuring your aliases automatically.If you need to claim more than five department user accounts, the AD team can specify which of them are set as aliases for you in Duo.
Submit a request to the AD team, identifying up to five department user accounts claimed by you that you want set as your aliases in Duo.
Reviewing your Duo Aliases
Eventually, functionality to view and select your Duo aliases will be added to the Department User Tools.
For now, you can use the following methods to view your Duo aliases (which are stored in the attributes named utexasEduAzureSingle11, utexasEduAzureSingle12, utexasEduAzureSingle13, utexasEduAzureSingle14, and utexasEduAzureSingle15):
PowerShell with the Active Directory Module
Retrieve your Duo aliases by running the following (replace EnterYourEID with your EID on the first line.)
$user = "EnterYourEID"
$properties = @("name", "utexasEduAzureSingle11", "utexasEduAzureSingle12", "utexasEduAzureSingle13", "utexasEduAzureSingle14", "utexasEduAzureSingle15")
Get-ADUser $user -Properties $properties | Format-List $propertiesOpenLDAP Tools
If you do not have a Kerberos ticket, you can get one by running the following command (Replace <EnterYourEID> with your EID):
# The domain portion of the UPN must be completely in uppercase as shown!
kinit <EnterYourEID>@AUSTIN.UTEXAS.EDURetrieve your Duo aliases by running the following (replace <EnterYourEID> with your EID):
ldapsearch -H ldap://aad-dc-aus-p01.austin.utexas.edu:389 -b "OU=People,DC=austin,DC=utexas,DC=edu" "(&(objectClass=user)(sAMAccountName=<EnterYourEID>))" name utexasEduAzureSingle11 utexasEduAzureSingle12 utexasEduAzureSingle13 utexasEduAzureSingle14 utexasEduAzureSingle15