Environment
Duo Two-Factor (2FA) with Active Directory only accounts (m-uniqname1 for example), Add M1 or M2 Accounts to Duo
Issue
Customer needs to enroll a non-uniqname AD account in Duo. For example, adding an M1 or M2 account to work on Duo-protected servers and other systems.
Customer does not see the Linked Accounts (Requires VPN) menu option in UAM
Note: This article does not apply for all non-unqname accounts, only those in Active Directory. Those accounts will often be in the format of PREFIX-UNIQNAME (e.g. its-uniqname, p-uniqname, etc). This article does not apply to Supplier Accounts - see U-M Strategic Supplier/Vendor Unable to Log In (ID/Password or Duo) -- Support Staff for information on supporting suppliers.
Resolution
To enroll a non-uniqname account in Duo, note that these instructions need to be performed by the customer (the Service Center cannot do this for them -- they need to log in with the account credentials, which the Service Center does not have).
Note: To register an elevated account with a YubiKey, submit a ticket for the IAM team with the serial number of the token.
Note: To complete all of the steps below, you must be on a campus network or connected to the UMVPN.
- Go to University Account Management (UAM) and log in with your uniqname and UMICH password.
- Click the Linked Accounts menu item.
- Click Link New Account.
- Enter the non-uniqname Account, Password, and Purpose of Account, and then click Link Account.
- Complete the Duo enrollment process. When complete, the Duo Device Management page displays.
Additional Information
This only applies to AD users, since Duo IDs must be unique. So local accounts like Administrator are still not an option.
For reference: https://documentation.its.umich.edu/2fa/duo-non-uniqname-account-management