This document provides the steps required to configure the Duo Security Inspector.
Recommended Agent: On-Demand
Supported Agents: On-Demand, On-Premises, or Self-Hosted
Is Auto-Discovered By: N/A
Can Auto-Discover: Duo Child Accounts
Parent/Child Type Inspector: Yes
Inspection via: API
Data Summary: Here
See it in Action
Video isn't playing? Click here.
Inspector Setup Preparation
Accounts vs. Admin API
If you have a Parent MSP account with Child accounts set up for Duo, you need to set up both the Accounts API and Admin API in the Parent account in order for Liongard to provide auto-discovery and inspect the Child accounts
If you only want to inspect a single account, you only need to enable the Admin API.
Step 1: Set up Accounts API Access
To enable Accounts API and get the credentials needed, follow the directions provided by Duo
Step 2: Set up Admin API Access
To enable Admin API and get the credentials needed, please follow the directions provided by Duo
Minimum permissions required:
- Grant read information
- Grant read log
- Grant read resource
Additional permissions you can provide:
- If you wish to gather Duo settings on an account, such as password policies, enable the the Grant settings permission
- If you wish to gather a list of the Administrator users for a Duo account, enable the Grant administrators permission
Liongard will not pull application/integration details at this time, regardless of the whether the Grant applications permission is enabled, due to security concerns about the level of details which are exposed on Duo's API endpoint.
Liongard Inspector Setup
Step 1: Parent Inspector Setup
Since Duo Security is a multi-tenant system where a single portal is used to manage many Environments, you will set up a single "Parent" Inspector with the API Key that will then auto-discover "Child" Inspectors for each Environment.
In Liongard, navigate to Admin > Inspectors > Inspector Types > Navigate to the Duo Security* Inspector > Add System**.
Fill in the following information:
- Type of Inspector: Parent
- Environment: Select your MSP's Environment
- Friendly Name: Suggested Naming: [MSP Name] Duo Security Parent
- Agent: Select On-Demand Agent
- Inspector Version: Latest
- API Hostname: The Hostname of the API as provided in the Integrations console for the API(s).
- Both the Accounts and Admin API will have the same Hostname in your Parent account.
- Accounts Integration Key: The Accounts API integration Key as provided in the Integration console under the Accounts API application.
- Accounts Secret Key: The Accounts API integration Secret as provided in the Integration console under the Accounts API application.
- Admin Integration Key: The Admin API Integration Key as provided in the Integration console under the Admin API application.
- Admin Secret Key The Admin API Integration Secret as provided in the Integration console under the Admin API application.
- Scheduling: The Inspector will default to run once a day at the time the Inspector is set up. Here you can adjust the schedule
Select Save. The Inspector will now be triggered to run within the minute.
Step 2: Child Inspector Setup
After the first run of the Parent Inspector, your client Duo Security organizations will be Auto-Discovered in the Discovered Systems tab on the Inspectors > Duo Security page.
Navigate to the Discovered Systems tab in your Inspectors > Duo Security page
- Activate or Archive your Discovered Systems by ensuring that they're mapped to the correct Environment > Check the checkbox to the left of Inspector(s) > Select the Actions drop down menu > Activate Launchpoints
Parent Inspector is working, but Child Inspectors are failing.
First, verify you have set up both the Accounts API and Admin API for your DUO Parent Inspector. If you have, generate a new set of API keys.
Optional: Turn on Flexible Asset/Configuration Auto-Updating
If you would like this Inspector's data to be sent to ConnectWise and/or IT Glue, turn on Flexible Assets/Configurations for this Inspector:
- ConnectWise: Admin > Integrations > ConnectWise > Configuration Types > Confirm the "Configuration Auto-Updating" toggle is enabled
- IT Glue: Admin > Integrations > IT Glue > Flexible Assets > Confirm the "Flexible Asset Auto-Updating" toggle is enabled
Updated 2 months ago