Cisco Duo is one of the most common MFA products underwriters see in SMB and MSP-managed environments. Duo's reporting is comparatively straightforward, but many renewal packets still fail because they submit only a log export or only a policy screenshot instead of showing both coverage and real usage. All Duo editions — Free, Essentials, Advantage, and Premier — include authentication log and user export capabilities.
Underwriters want to understand how many users are actually enrolled, whether MFA challenges occurred during the relevant period, whether Duo protects the access paths that matter most (remote access, privileged logins), and whether there are bypassed or weaker user states. A "bypass" status means MFA is not required for that user — carriers flag this. "Enrolled" means MFA is configured and active. "Disabled" means the account is inactive. The strongest evidence packet includes a user enrollment export, an authentication log, and a written explanation of scope.
Duo's biggest operational limit is the 180-day retrieval window for authentication logs in the Admin Panel and API. This is a hard cap — logs older than 180 days cannot be exported regardless of the retention setting. Required: an admin role with reporting access. The Duo Admin API endpoint /admin/v1/logs/authentication supports automated export. Export formats include CSV and JSON.
In the Duo Admin Panel, go to Reports > Authentication Log. Filter for the renewal window (up to 180 days) and export as CSV or JSON. This is your strongest proof that MFA challenges actually occurred. Filter intelligently so the output is readable.
Pro tip: Filter by application or user group to produce focused evidence rather than dumping six months of noise.
Suggested filename: duo-authentication-log-2025-10-to-2026-03.csv
Export the full user list from the Users section showing enrollment status, last authentication date, and device count. This gives underwriters the coverage view. Pay attention to the User Status field: "enrolled" vs "bypass" vs "disabled" tells the real story.
Pro tip: Flag any users in "bypass" status and explain why — carriers treat unexplained bypass accounts as a red flag.
If Duo protects VPN, RDP, Entra ID external MFA, or SSO-connected apps, document that scope plainly. The underwriting question is not "do you own Duo" but "what is Duo actually protecting." A short paragraph explaining scope can be more useful than another screenshot.
For repeatable evidence collection, use the Duo Admin API endpoint /admin/v1/logs/authentication. Manual evidence collection tends to break when the same task comes around 6 or 12 months later. Available in all Duo editions.
Duo enforces a 180-day retrieval limit for authentication logs in the Admin Panel and API, regardless of the backend retention setting.
Duo supports CSV and JSON export formats for authentication logs and user data.
Enrolled means MFA is active. Bypass means MFA is skipped for that user — carriers flag this. Disabled means the account is inactive.
All Duo editions (Free, Essentials, Advantage, Premier) include authentication log and user export. Trust Monitor requires Advantage or Premier.
Tired of stitching Duo logs and enrollment exports together by hand? Run a free readiness check.
Run Free Readiness Check →