Any phones or tokens that were attached to the Duo user before the directory sync will remain intact.
User import via AD sync can fail for a few possible reasons: The account you use typically does not require Domain Admin privileges, but it does need at least the “Log on as a service” right on the Authentication Proxy server and read access to Active Directory.
Changing synced attribute values in Active Directory (AD) has the following effects on imported users: No, user attributes synced from an external directory cannot be edited in Duo.
This includes username, real name, email address, phone numbers, notes, and group memberships.
The Active Directory attributes synchronized to Duo can be changed using custom attribute mapping.
Imported values may not be changed from the Duo Admin Panel.
To update any of the imported values, change the source attribute value in your directory and perform a sync.
See How are synced users affected if I change the values of certain user attributes in Active Directory?
The disabled Duo user is still tagged as a directory user, is read-only, and cannot be manually enabled.
When a user is synced from an external directory to Duo, new phones will be created using the mobile and telephone numbers present for each user if a phone with that number does not already exist in Duo.
The user's properties are read-only and you are no longer billed for that user.
If the user marked for deletion is not reconnected to an external directory account via the sync within seven days the user is automatically deleted from Duo.
This may affect your licensed user count and impact or prevent user authentications.