Overview
Vanta integrates with Duo to sync user, administrator, group, and role data from your Duo environment on a recurring basis. This integration gives you centralized visibility into Duo so you can monitor who has access, verify that deprovisioning is completed when personnel leave, and streamline access review and request workflows, all from within Vanta.
Estimated setup time: Less than 10 minutes.
How it works
Vanta connects to Duo and syncs user, role, and group data on a recurring basis. This data powers the following workflows within Vanta:
Automated compliance tests - Vanta verifies whether Duo accounts are linked to active employees and flags accounts belonging to terminated personnel that have not yet been deactivated so you can take action.
Access Reviews - Synced users are surfaced in Vanta’s Access Reviews. Approvers can validate whether access remains appropriate, confirm least-privilege alignment, and generate audit-ready evidence.
Access Requests - Duo entitlements (group and admin roles) are imported into Vanta. Requesters can submit access requests, approvers can review those requests with appropriate context, and system administrators can track provisioning activity.
Prerequisites
To connect the Duo integration, you must have:
A Vanta administrator account
A Duo account with the Owner administrator role (only Owners can create Admin API applications in Duo)
Access to the Duo Admin Panel
A Duo plan that includes the Admin API access and an Admin API application configured with the following permission grants:
Grant administrators - Read
Grant resource - Read
Connect the integration
Step 1: Locate the Duo integration in Vanta
In Vanta, navigate to Integrations.
Search for Duo and select View details.
Click Connect.
Step 2: Create an Admin API Application in Duo
As indicated in the connection modal, you must create a new application in Duo to integrate with Vanta.
Log into your Duo admin panel.
Navigate to Applications > Applications to view all installed applications.
Click Add application.
In the application catalog, search for Admin API.
Only Owner administrators can create this type of application.
Click Add to create a new Admin API application.
Step 3: Configure application permissions
Once the Admin API application is created:
Locate the Details section. This contains the values required by Vanta.
Ensure the following permissions are granted:
Grant Administrators–Read
Grant Resource–Read
Without these permissions, Vanta will not be able to retrieve Duo account data.
Note: If only “Grant resource-Read” is enabled, Vanta will sync 2FA users but will not sync administrator accounts or their roles. Both permissions are recommended for full visibility. |
Step 4: Complete the connection in Vanta
Copy the following values from Duo:
Integration Key
Secret Key
API Hostname
Return to the Vanta and paste the values into the corresponding fields in Vanta
Click Validate and store to complete the connection
Once credentials are validated, the integration connects successfully and Vanta begins syncing data.
Capabilities
The Duo integration supports the following resources and workflows within Vanta:
Users — Used for Access Reviews, Access Requests, and Automated Tests
Groups — Supported for 2FA users and used in Access Reviews and Access Requests
Roles/Entitlements — Supported for admin users and used in Access Reviews and Access Requests
Last Login — Used in Access Reviews and Access Requests
Resource | Supported | Used for |
Users (2FA) | ✅ | |
Users (Admins) | ✅ | |
Groups | ✅(For 2FA Users) | |
Roles/Entitlements | ✅(For Admin users) | |
Last Login | ✅ |
Permissions
Vanta accesses the following data from the Duo Admin API:
Read access:
Vanta can access:
User data (2FA):
Used to monitor which employees have Duo access and to identify accounts belonging to terminated personnel that have not yet been deactivated — so you can take action in Duo.
Users with a status of disabled or pending deletion are automatically excluded from the sync.
In Access Requests, this allows Vanta to display available users when tracking or assigning access.
User data (Administrator accounts):
Used to monitor which employees have administrative access to Duo and to verify that high-privilege admin roles (for example, Owner) are granted only to authorized personnel.
Only administrators with Active status are synced.
Requires the Grant administrators — Read permission on the Admin API application.
In Access Requests, this allows requesters to select from the correct set of admin roles and enables approvers to review the level of access being requested.
User group data
Used to validate least-privilege access and confirm that group-based access controls align with compliance requirements.
Group membership is derived from the Duo Admin API user data — specifically, the groups associated with each 2FA user.
In Access Requests, this enables approvers to see which groups grant access and map access levels to entitlements.
User role and entitlement data
Used to verify that employees are assigned appropriate roles, validate least-privilege access, and confirm that high-privilege roles are granted only to authorized personnel.
In Access Requests, this allows requesters to select from the correct set of roles and enables approvers to review the level of access being requested.
Write access:
Vanta does not write to Duo. The integration is strictly read-only. Vanta will never modify, create, disable, or delete any users, groups, applications, or settings in your Duo environment.
Troubleshooting and FAQs
This section outlines common issues that may occur during setup. It is not an exhaustive list but focuses on the most frequent points of failure.
Q: Does Vanta automatically deprovision (disable or delete) users in Duo?
A: No. Vanta is read-only. It monitors and surfaces Duo account data so you can identify accounts that need to be deprovisioned, but the actual deactivation or removal must be done directly in Duo or via your existing offboarding workflows.
Q: Which Duo user statuses are synced?
A: For 2FA users, all statuses except disabled and pending deletion are synced. For admin users, only those with Active status are synced.
Q: Where do groups come from?
A: Group membership is derived from the Duo Admin API user data — specifically, the groups associated with each 2FA user.
Q: Why aren't admin users, roles, or groups appearing in Vanta after connecting Duo?
A: This usually means the Grant administrators — Read permission was not enabled on the Admin API application in Duo. Vanta checks for this permission before attempting to fetch admin data — if it's not present, Vanta will still sync 2FA users but will skip admin accounts and their roles entirely.
To fix this:
Log into the Duo Admin Panel.
Navigate to Applications → Application Catalog and open your Admin API application.
Enable Grant administrators — Read.
Vanta will pick up the change on the next sync cycle. If data still does not appear, disconnect and reconnect the integration in Vanta to force a fresh sync.