# Cisco Duo ### Overview The Veza integration for Cisco Duo provides visibility into your organization's multi-factor authentication (MFA) infrastructure, user access methods, and administrative privileges within Duo Security. The integration enables: * Visibility into user authentication methods and enrollment status * Tracking of hardware tokens, phone authentication, and WebAuthn credentials * Monitoring of administrative roles and permissions * Group membership and policy enforcement insights * Device trust and authentication status tracking See [notes and supported entities](#notes-and-supported-entities) for more details. ### Prerequisites * A Cisco Duo account with one of the following plans: * Duo Premier * Duo Advantage * Duo Essentials * Administrator access with the Owner role * Valid Admin API credentials ### Configuring Cisco Duo #### Creating API Credentials 1. Log in to the [Duo Admin Panel](https://admin.duosecurity.com/) and navigate to **Applications** 2. Click **Protect an Application** ![Protect an Application in Duo Admin Panel.](/files/nzeAYrRHdZeqdHO5gqGH) 3. Locate **Admin API** in the applications list. Click **Protect** to configure the application 4. Save the credentials: * Integration key * Secret key * API hostname ![Example of API credentials screen.](/files/Jb4Jo4esEFreknb9emJ5) The secret key should be treated as a sensitive credential. Store it securely and never share it via email or insecure channels. #### Configuring API Permissions 1. In the Admin API application settings, grant the following minimum required permissions: * `Grant administrators: Read` * `Grant resource: Read` ![Permission settings for required Read Grant Administrators and Read Grant Resource permissions.](/files/WcmSW20zXQIyOxvHz439) ### Configuring Cisco Duo on the Veza Platform 1. In Veza, go to the **Integrations** page 2. Click **Add Integration** and search for Cisco Duo 3. Click on the Cisco Duo icon and click **Next** 4. Configure the integration with the following information: | Field | Notes | | --------------- | -------------------------------------------------------- | | Host | Your Duo API hostname (e.g., `api-XXXX.duosecurity.com`) | | Integration Key | The integration key from your Admin API application | | Secret Key | The secret key from your Admin API application | 5. Click **Create Integration** to save the configuration ### Notes and Supported Entities The integration supports the following entity types: * Users (including administrators) * Groups * Access Credentials * Phone authentication devices * Hardware tokens * WebAuthn credentials * Administrative Roles and associated permissions #### Users | Attribute | Description | | -------------------------- | ------------------------------------------------------------------------ | | first\_name | User's first name | | last\_name | User's last name | | username | User's login username | | email | User's email address | | enable\_auto\_prompt | Controls automatic authentication method prompting | | is\_enrolled | Indicates if user has configured authentication methods | | last\_directory\_sync | Timestamp of last directory sync | | lockout\_reason | Reason for account lockout if applicable | | status | User account status (active/bypass/disabled/locked out/pending deletion) | | is\_admin | Indicates administrator status | | password\_change\_required | For admin users, indicates required password change | | created\_at | Account creation timestamp | | last\_login\_at | Most recent login timestamp (admin users only) | #### Groups | Attribute | Description | | --------- | ---------------------------------------------------- | | status | Group authentication status (Active/Bypass/Disabled) | #### Access Credentials **Phone Authentication** | Attribute | Description | | ------------ | ----------------- | | factor\_type | Set to "phone" | | platform | Phone platform/OS | | name | Phone identifier | **Hardware Tokens** | Attribute | Description | | ------------ | ------------------------ | | factor\_type | Set to "hardware\_token" | | serial | Token serial number | | name | Token identifier | **WebAuthn Credentials** | Attribute | Description | | ------------ | ----------------------------- | | factor\_type | Set to "webauthn\_credential" | | label | Credential label | | name | Credential name | | created\_at | Credential creation timestamp | #### Administrative Roles The integration maps Duo administrative roles to permissions. Each role has specific capabilities mapped Veza canonical permissions: | Role | Key Capabilities | Mapped Permissions | | ------------------- | ----------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------ | | Owner | Full access to all actions, objects, and settings. Can manage other administrators and API applications. | `DataRead`, `DataWrite`, `MetadataRead`, `MetadataWrite` | | Administrator | Can manage users, devices, settings, policies, and applications (except Admin API). Cannot manage other administrators. | `DataRead`, `DataWrite`, `MetadataRead`, `MetadataWrite` (limited scope) | | Application Manager | Can manage protected applications and SSO sources. Limited user/device information access. | `DataRead`, `MetadataRead` (applications only) | | User Manager | Can manage users, phones, tokens, and bypass codes. Can run directory synchronization. | `DataRead`, `DataWrite` (users only) | | Security Analyst | Can manage security settings, process events, view logs. Limited user management. | `DataRead`, `MetadataRead` | | Help Desk | Can manage user devices and authentication. Cannot create/delete users or run bulk operations. | `DataRead`, `DataWrite` (limited scope) | | Billing | Access to billing information and sub-account management only. | `DataRead` (billing only) | | Read-only | Can view basic information about users, groups, devices, and reports. No modification rights. | `DataRead` | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/ciscoduo.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.