The purpose of this guide is to assist Duo administrators in identifying and resolving issues related to disabled status and/or locked out Duo end-user accounts.
If you are an end-user locked out of a Duo-protected application and seeing error messages like the ones below, please contact the IT help desk at your organization so they can restore access. If you are an end-user locked out of a third-party application like Facebook or Instagram, please see What do I do if I’m locked out of Instagram, Facebook, or another third-party Duo Mobile account?
Overview
When a user's status in the Duo Admin Panel is listed as "Disabled," the user is not permitted to use Duo two-factor authentication, and log on is denied. When a user is managed by Entra ID or AD directory sync, "Disabled" status is determined by the user's status in the source directory.
Similarly, when a user is locked out, the user is not permitted to use Duo two-factor authentication, and log on is denied. However, this is a distinct scenario from when a Duo user is disabled. A user becomes locked out after a certain number of consecutive failed authentication attempts. The default lockout threshold is 10 failed attempts, but this number can be adjusted in the Settings page of the Admin Panel. Read more about the user lockout settings in the documentation.
There are several possible states a user could be in that would prevent them from being able to authenticate. Please see below to identify each of the user states and how to resolve them.
User has been disabled in the synced directory
A Duo user managed by directory sync has their enabled/disabled status verified in the source directory every time a directory sync occurs. If a user is disabled in the source directory, their account status is updated by the sync to "Disabled".
Directory sync does not check for locked-out status in the source directory and will not apply "Locked Out" status to any Duo user.
Error displayed
If the application supports the web-based Duo prompt, the end-user will see:
Traditional Duo Prompt
"Your two-factor account is disabled. Contact an administrator for assistance."
Universal Prompt"Account disabled
Your Duo account is disabled and cannot access this application. Please contact your IT help desk."

Confirm the issue
You can confirm this in the Admin Panel by searching for the user, then reviewing the “Status” section on the user page:
Resolution
You cannot manually change the user's status, as this user is synced from the directory. You will need to resolve the lockout within the source directory.
After you have resolved the user status issue in the source directory, scroll to the top of the user page in the Duo Admin Panel and select Sync This User.
This will run a sync against the directory for this user. Once the sync is complete, you should be able to see the status of the user return to “Active”. Depending on your environment, it may take several minutes for your directory servers to replicate.
User has been manually set to "Disabled" status
If your organization manages users manually, or if you manage users externally using our API, then the user status can be manually changed in the Admin Panel. In this scenario, the user was manually set to "Disabled."
Error displayed
If the application supports the web-based Duo prompt, the end-user will see:
Traditional Duo Prompt
"Your two-factor account is disabled. Contact an administrator for assistance."
Universal Prompt
"Account disabled
Your Duo account is disabled and cannot access this application. Please contact your IT help desk."

Confirm the issue
You can confirm this in the Admin Panel by reviewing the “Status” section on the resulting page when searching for this specific user:
Resolution
You can resolve this by returning the user’s status to “Active” and saving the user page. If your organization manages users via API and the underlying cause of the user status change in your API calls is not remedied, the user may be set to "Disabled" status again in the future.
User has been deleted
A user might be placed in pending deletion if they were manually deleted by an administrator, due to an
Inactive User Expiration policy, or due to an issue or misconfiguration with Directory sync.
Error displayedIf the application supports the web-based Duo prompt, the end-user will see:
Traditional Duo Prompt"Your two-factor account is disabled. Contact an administrator for assistance."
Universal Prompt"Account disabled
Your Duo account is disabled and cannot access this application. Please contact your IT help desk.
Confirm the issueYou can confirm whether the user was deleted in the Admin Panel by reviewing Trash section of the users.
Resolution
Other reasons a Duo user may not authenticate
User has reached the lockout threshold in Duo
This means the user has reached the specified number of failed authentication attempts to trigger the auto-lockout threshold set in your Duo account's global settings.
Regarding synced users: Duo directory sync does not check for a user's "locked out" status in the source directory, and will not apply "locked out" status to a Duo user based on directory sync.
Error displayed
If the application supports the web-based Duo prompt, the end-user will see:
Traditional Duo Prompt
"Your account has been locked out due to excessive authentication failures. Please contact your administrator."
Universal Prompt
"Account disabled
Your Duo account is disabled and cannot access this application. Please contact your IT help desk."

Confirm the issue
You can confirm this in the Admin Panel by searching for the user then reviewing the “Status” section on the user page:
Resolution
If you enabled the "Revert user status to Active after _ minutes" setting in your global settings, accounts with "Locked Out" status unlock automatically when the specified time elapses.
If you don't want to wait for automatic unlock, or if you have not enabled automatic unlock in your settings, unlock a user manually by seting the user status to "Active" in the Admin Panel and then saving the user page.
Read more about the lockout threshold settings in the documentation: Duo administration settings - Lockout and fraud.
User is attempting to log in to an application that has User access settings for permitted groups configured
If the User access > Enable only for permitted groups setting is configured on an application, and a user is not a member of the permitted group, then they will not be able to log in to the application.
Error displayed
If the application supports the web-based Duo prompt, the end-user will see:
Traditional Duo Prompt
"Your account does not have access to this application. Contact an administrator for assistance."

Universal Prompt
"Page access not allowed
Your Duo account does not have access to this application. Please contact your IT help desk."

Confirm the issue
- Log in to the Duo Admin Panel.
- Navigate to the application that triggered the error message for the user.
- Under User access > Enable only for permitted groups, verify whether there are permitted groups listed on the application.
Resolution
If there are permitted groups, ensure that the user is a member of a permitted group listed on the application.
Related articles: