Duo Security: bulk delete 2FA devices (phones)

Decorative image - Duo and PowerShell logos with deleted phone icons

All product names, logos, and brands used in this post are property of their respective owners.

As I write this post, there is no way to mass delete 2FA devices from Duo via the Admin Console. This functionality exists for users but not devices:

Screenshot of Duo bulk delete users option

Removing multiple devices at once may be uncommon but should the need arise, you can do this with the Duo Admin API. To flatten the learning curve, I opted to use the awesome Duo-PSModule PowerShell module created by Matt Egan which is a robust Power Shell wrapper for the Duo Admin API.

In this post, I documented the steps I used to get the Duo Admin API and Duo-PSModule setup and some examples of bulk phone removal with PowerShell. Admittedly, I was in a hurry so I cut some corners.

Create the Duo Admin API application and grant permissions

The Duo Admin API is exposed by creating a new Application of type “Admin API” in the Duo Console. Select Applications -> Protect an Application -> Type “Admin API” and click Protect. Take note of the Integration key, Secret key, and API hostname - these are needed to configure the PowerShell module later.

Before saving the application, check the boxes for Grant read resource and Grant write resource:

Screenshot of Duo Admin API permissions selection

Download and configure Duo-PSModule

I downloaded the zipped version of Duo-PSModule and extracted it to C:\Temp on my device. I also forced TLS 1.2 connectivity in my PowerShell session at the recommendation of Matt in his README.

Lastly, I specified my default Duo org ($DuoDefaultOrg) and the Admin API connection parameters ($DuoOrgs) as variables (vs. using Duo_org.ps1). The $DuoOrgs hashtable should contain the Integration key, Secret key, and API hostname captured during the Admin API setup above:

> cd C:\Temp
> Import-Module .\Duo.psm1
> [Net.ServicePointManager]::SecurityProtocol  = [Net.SecurityProtocolType]::Tls12
> [string]$DuoDefaultOrg = "MyDuo"
> [Hashtable]$DuoOrgs = @{
MyDuo = [Hashtable]@{
iKey  = [string]"DI******************"
sKey = [string]"****************************************"
apiHost = [string]"api-********.duosecurity.com"

With this, the Duo-PSModule is ready to roll!

Example: Remove un-assigned MFA phones from Duo

Removing unassigned devices from Duo helps keep things tidy. In this example, phones whose “users” property is null are deleted from Duo:

duoGetPhone | where {!$_.users} |
%{ duoDeletePhone -phone_id $_.phone_id }

Example: Mass delete ALL MFA phones from Duo

This is a scary example - if you use it, be sure you know exactly what you are doing (and why). I promise I had a good reason for doing this! The following command removes ALL 2FA PHONES from your Duo instance, including ones that are assigned to users:

duoGetPhone |
%{ duoDeletePhone -phone_id $_.phone_id }