Skip to main content

Connecting Vanta & Duo

Overview

Vanta integrates with Duo to sync user, administrator, group, and role data from your Duo environment on a recurring basis. This integration gives you centralized visibility into Duo so you can monitor who has access, verify that deprovisioning is completed when personnel leave, streamline access review and request workflows, and optionally deactivate eligible Duo accounts during employee offboarding, all from within Vanta.

Estimated setup time: Less than 10 minutes.

How it works

Vanta connects to Duo and syncs user, role, and group data on a recurring basis. This data powers the following workflows within Vanta:

  • Automated compliance tests - Vanta verifies whether Duo accounts are linked to active employees and flags accounts belonging to terminated personnel that have not yet been deactivated so you can take action.

  • Access Reviews - Synced users are surfaced in Vanta’s Access Reviews. Approvers can validate whether access remains appropriate, confirm least-privilege alignment, and generate audit-ready evidence.

  • Access Requests - Duo entitlements (group and admin roles) are imported into Vanta. Requesters can submit access requests, approvers can review those requests with appropriate context, and system administrators can track provisioning activity.

  • Automated deprovisioning - If enabled, Vanta can deactivate eligible Duo 2FA user and administrator accounts during employee offboarding.

Prerequisites

To connect the Duo integration, you must have:

  • A Vanta administrator account

  • A Duo account with the Owner administrator role (only Owners can create Admin API applications in Duo)

  • Access to the Duo Admin Panel

  • A Duo plan that includes Admin API access

  • A Duo Admin API application configured with the following permission grants:

    • For read-only syncing:

      • Grant administrators - Read

      • Grant resource - Read

    • To enable automated deprovisioning through Vanta, also grant:

      • Grant administrators - Write

      • Grant resource - Write

⚠️ Note: Customers who do not enable automated deprovisioning can continue using the read-only setup.

Connect the integration

Step 1: Locate the Duo integration in Vanta

  • In Vanta, go to the Integrations page, click Add integration, and search for Duo. For help, see our guide to the Integrations Page.

  • Click Connect.

Step 2: Create an Admin API Application in Duo

As indicated in the connection modal, you must create a new application in Duo to integrate with Vanta.

  • Navigate to Applications > Applications to view all installed applications.

  • Click Add application.

  • In the application catalog, search for Admin API.

    • Only Owner administrators can create this type of application.

    • Click Add to create a new Admin API application.

Step 3: Configure application permissions

Once the Admin API application is created:

  • Locate the Details section. This contains the values required by Vanta.

  • Ensure the following permissions are granted for read-only syncing:

    • Grant Administrators – Read

    • Grant Resource – Read

  • To enable automated deprovisioning through Vanta, also grant:

    • Grant Administrators - Write

    • Grant Resource - Write

Without the Read permissions, Vanta will not be able to retrieve Duo account data. Without the Write permissions, Vanta can still sync Duo data but cannot deactivate Duo accounts during employee offboarding.

⚠️ Note: Write permissions allow Vanta to update Duo user and administrator status only for automated deprovisioning when the feature is enabled in Vanta.

⚠️ Note: If only “Grant resource-Read” is enabled, Vanta will sync 2FA users but will not sync administrator accounts or their roles. Both Read permissions are recommended for full visibility.

Step 4: Complete the connection in Vanta

  • Copy the following values from Duo:

    • Integration Key

    • Secret Key

    • API Hostname

  • Return to the Vanta and paste the values into the corresponding fields in Vanta

  • If you want Vanta to deactivate eligible Duo accounts during employee offboarding, select Enable automated deprovisioning.

  • Click Validate and store to complete the connection

Once credentials are validated, the integration connects successfully and Vanta begins syncing data.

Capabilities

The Duo integration supports the following resources and workflows within Vanta:

  • Users — Used for Access Reviews, Access Requests, and Automated Tests

  • Groups — Supported for 2FA users and used in Access Reviews and Access Requests

  • Roles/Entitlements — Supported for admin users and used in Access Reviews and Access Requests

  • Last Login — Used in Access Reviews and Access Requests

Resource

Supported

Used for

Users (2FA)

Access Reviews, Access Requests, Automated Tests, Automated Deprovisioning

Users (Admins)

Access Reviews, Access Requests, Automated Tests, Automated Deprovisioning

Groups

✅(For 2FA Users)

Roles/Entitlements

✅(For Admin users)

Last Login

Permissions

Vanta accesses the following data from the Duo Admin API:

Read access:

Vanta can access:

  • User data (2FA):

    • Used to monitor which employees have Duo access and to identify accounts belonging to terminated personnel that have not yet been deactivated — so you can take action in Duo.

    • Users with a status of disabled or pending deletion are automatically excluded from the sync.

    • In Access Requests, this allows Vanta to display available users when tracking or assigning access.

  • User data (Administrator accounts):

    • Used to monitor which employees have administrative access to Duo and to verify that high-privilege admin roles (for example, Owner) are granted only to authorized personnel.

    • Only administrators with Active status are synced.

    • Requires the Grant administrators — Read permission on the Admin API application.

    • In Access Requests, this allows requesters to select from the correct set of admin roles and enables approvers to review the level of access being requested.

  • User group data

    • Used to validate least-privilege access and confirm that group-based access controls align with compliance requirements.

    • Group membership is derived from the Duo Admin API user data — specifically, the groups associated with each 2FA user.

    • In Access Requests, this enables approvers to see which groups grant access and map access levels to entitlements.

  • User role and entitlement data

    • Used to verify that employees are assigned appropriate roles, validate least-privilege access, and confirm that high-privilege roles are granted only to authorized personnel.

    • In Access Requests, this allows requesters to select from the correct set of roles and enables approvers to review the level of access being requested.

Write access:

  • Vanta does not write to Duo unless automated deprovisioning is enabled for the integration.

  • When automated deprovisioning is enabled, Vanta can update Duo user and administrator account status to deactivate accounts during employee offboarding.

  • Vanta does not create Duo users, groups, applications, or settings.

  • Users synced from an upstream directory such as Entra ID, Active Directory, or SCIM may need to be deprovisioned in that directory instead of Duo.

Troubleshooting and FAQs

This section outlines common issues that may occur during setup. It is not an exhaustive list but focuses on the most frequent points of failure.

Q: Does Vanta automatically deprovision (disable or delete) users in Duo?

A: Yes, if automated deprovisioning is enabled for the Duo integration. Vanta deactivates eligible Duo 2FA users and Duo administrator accounts during employee offboarding by updating their Duo account status. Vanta does not permanently delete Duo accounts.

If automated deprovisioning is not enabled, Vanta remains read-only. It monitors and surfaces Duo account data so you can identify accounts that need to be deprovisioned, but the actual deactivation or removal must be done directly in Duo or via your existing offboarding workflows.

Q: Do I need to grant additional Duo permissions to enable automated deprovisioning?

A: Yes. Read-only syncing requires Grant administrators - Read and Grant resource - Read. Automated deprovisioning also requires Grant administrators - Write and Grant resource - Write.

If you already connected Duo with read-only permissions, update the existing Admin API application in Duo to add the Write permissions, then edit the Duo integration in Vanta, enable automated deprovisioning, and validate and store the credentials again.

Q: Which Duo accounts can Vanta deactivate?

A: Vanta can deactivate eligible Duo 2FA user accounts and Duo administrator accounts that are synced into Vanta. Duo users and Duo administrators are separate account types in Duo; if the same person has both types of access, each account is evaluated separately. Duo Owner administrators cannot be disabled through the Duo API.

Q: What if a Duo user is managed by Entra ID, Active Directory, or SCIM?

A: Some Duo users are managed by an upstream directory. Duo may block direct deactivation of those users through the Duo Admin API. If this happens, Vanta will show that the account is managed by a synced directory. Deactivate the user in the source directory, then sync Duo again.

Q: Which Duo user statuses are synced?

A: For 2FA users, all statuses except disabled and pending deletion are synced. For admin users, only those with Active status are synced.

Q: Where do groups come from?

A: Group membership is derived from the Duo Admin API user data — specifically, the groups associated with each 2FA user.

Q: Why aren't admin users, roles, or groups appearing in Vanta after connecting Duo?

A: This usually means the Grant administrators — Read permission was not enabled on the Admin API application in Duo. Vanta checks for this permission before attempting to fetch admin data — if it's not present, Vanta will still sync 2FA users but will skip admin accounts and their roles entirely.

To fix this:

  • Log into the Duo Admin Panel.

  • Navigate to Applications → Application Catalog and open your Admin API application.

  • Enable Grant administrators — Read.

  • Vanta will pick up the change on the next sync cycle. If data still does not appear, disconnect and reconnect the integration in Vanta to force a fresh sync.