In a move to strengthen the security posture of its customers, Duo is rolling out a significant update to the way access is managed for new protected applications. Starting March 20 through March 31, 2025, Duo's defaults for permitted groups in new protected applications will change. This shift is designed to align with security best practices and reduce unnecessary access to applications.
What’s Changing?
Currently, when you create a new protected application via the Duo Admin Panel or the Duo Admin API, user access is set to "Allow All" by default. However, this will soon change. After the rollout, new protected applications will default to "Deny All," ensuring that no user or group has automatic access. Administrators will need to actively configure access by adding specific permitted groups or choosing to allow all users.
Why This Matters
The “deny by default” approach is a fundamental security measure. It minimizes the risk of unauthorized access and encourages administrators to carefully manage who can access each protected application. By taking an active role in granting access, organizations can better protect sensitive data and applications from potential threats.
Impact on Duo Admin API
This update also affects the Duo Admin API, introducing new default values. Administrators using automation with the API must adjust their code to reflect these changes to ensure continued functionality. Duo has provided guidance through its "Guide to Duo Admin API Permitted Groups/User Access Defaults" to help ease this transition.
Important Details to Note
Existing Protected Applications are not affected. This change only applies to new applications created after the rollout period.
If you would like more information or assistance in DUO administration components and use cases, please contact our industry-leading experts at service@helient.com.
1 minute read
