This article describes how a Primary Administrator can change VPN Authentication for their Organization using the VPN Access setting described in Introduction to Single-Factor and Multi-Factor Client-to-Site VPN Authentication.

IMPORTANT: the feature described in this guide article is specific to VPN authentication and is completely independent of the Updated UI Two Factor Authentication feature described by How to Enable or Disable SMS Two Factor Authentication to the Cloud UI for your Organization.


  1. User must be Primary Administrator
  2. The Geographic Region cannot be in Network Maintenance for any Data Center in which the Organization has MCP 1.0 Networks or MPC 2.0 VLANs
  3. The VPN Access setting cannot be set if any of the following operations are in progress for the Organization in the target Geographic Region:
    1. Deploy VLAN
    2. Create MCP 1.0 Network
    3. Delete VLAN
    4. Delete MCP 1.0 Network

Content / Solution:

  1. Click on the Compute menu and select Account Management from the drop-down menu:

  2. The Account Management dashboard will be displayed:

  3. Click on the Manage VPN Access button on the left-hand side menu:

  4. The Manage VPN Access dialog will be displayed:

    1. The dialog includes each Geographic Region enabled for your Organization and presents the VPN Access settings available each Geographic Region. 
      1. Some Private cloud instances do not support this feature. In such cases, there will be no alternate VPN Access setting present in the dropdown menu and it will not be possible to change the means of VPN Access as a result.
    2. Identify the Geographic Region for which you wish to change the VPN Access setting.
    3. Select the desired VPN Access setting from the options available. For most Geographic Regions the choices will be Single-factor and Multi-factor.
    4. Click Confirm to save the new setting or Cancel to discard the changes and close the dialog.
      IMPORTANT: If changing from Single-factor to Multi-factor, any Users already connected to a VPN in the relevant Geographic Region are forcibly disconnected from the VPN due to the increase in security requirements for the new setting. Users not already enrolled with Duo (or whose previous enrollment has expired) will need to enroll. For more information please refer to Introduction to Single-Factor and Multi-Factor Client-to-Site VPN Authentication.