Overview π₯
When running the Duo Security Inspector, you may encounter the following error:
Cross-deployment Admin API usage through Accounts API is currently not available, please refer to: https://duo.com/docs/accountsapi#using-accounts-api-with-admin-api
This error occurs when the Child Duo tenant is not correctly linked beneath the Parent MSP account, causing the Admin API to reject cross-deployment queries.
This document explains the cause, how to resolve it, what to check if the issue persists, and how to ensure your Duo API configuration aligns with Liongardβs requirements.
Why This Happens π€
Duoβs Admin API and Accounts API must reside within the same deployment structure.
If the Child Tenant is not fully migrated under the Parent MSP account, Admin API calls failβresulting in the βCross-deploymentβ error.
Typical scenarios include:
Cause | Description |
Incorrect Parent/Child Structure | Child account was never migrated under the Parent MSP account. |
API Keys Created on Wrong Tenant | Admin API or Accounts API keys were created in the wrong (non-Parent) tenant. |
Duo Licensing Restrictions | Some endpoints require Duo Advantage or Duo Premier. |
Partially Migrated Account | Duo support needs to finalize the transition of a child tenant. |
Steps to Resolve π¨βπ»
Duo directly recommends engaging their support team to ensure the Child tenant is correctly nested.
β Contact Duo Support
Provide Duo Support with:
The full error message
The tenant(s) involved
Confirmation that the API calls must flow through the Parent MSP account
Outcome:
Once Duo completes the migration, the Liongard inspector should run normally.
Inspector Setup Requirements (Important) π
Liongard requires working Accounts API and Admin API credentials from the Parent Duo account.
β Required Fields
Field | Where It Comes From | Notes |
API Hostname | Both Accounts + Admin API apps | Must match exactly |
Accounts Integration Key | Accounts API application | Only needed if inspecting child tenants |
Accounts Secret Key | Accounts API application | β |
Admin Integration Key | Admin API application | Always required |
Admin Secret Key | Admin API application | Always required |
β Minimum Required Permissions (Admin API)
Permission | Purpose |
Grant read information | General account data |
Grant read log | Log & auth events |
Grant read resource | Users, phones, groups |
β Optional Useful Permissions
Permission | Enables |
Grant settings | Retrieves Duo security settings |
Grant administrators | Lists Duo administrators |
Additional Troubleshooting (If Error Persists) π§βπ«
If migrating the tenant didnβt resolve the issue, or if Duo states the hierarchy is correct, try the following:
1οΈβ£ Run the Inspector in Clear Cache + Debug Mode
2οΈβ£ Validate API Key Placement
Ensure:
Admin API keys are created under the Parent account, not the Child
Accounts API keys are also under the Parent
Both applications show the same API hostname
3οΈβ£ Try Regenerating Admin or Accounts API Keys
If keys were created years ago or permissions were altered:
Regenerate the secret key
Re-copy and paste into Liongard
Save & Run inspector
4οΈβ£ Check Duo License Level
Some data requires:
Duo Advantage, or
Duo Premier
Retrievable data varies by license.
5οΈβ£ Confirm MSP Hierarchy with Duo Again
Sometimes Duo must perform a backend migration, not visible from the dashboard.
Ask Duo Support to confirm:
Is the Child tenant fully under the Parent MSP account?
Are Admin & Accounts API apps referencing the same deployment?
Is the tenant associated with the correct Duo Deployment Region?
Troubleshooting Flowchart π
βββββββββββββββββββββββββββββββββββ
β Error 400: Cross-deployment API β
β Usage Not Available β
βββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββ
β Check if Parent/Child structure β
β in Duo MSP is configured β
βββββββββββββββββββββββββββββββββββ
β
Yes ββββββββββββββββ No
β β
βΌ βΌ
ββββββββββββββββββββββββ ββββββββββββββββββββββββββββββ
β Validate Admin + β β Contact Duo Support to β
β Accounts API keys β β migrate Child tenant under β
β are created on the β β Parent account β
β Parent account β ββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββ β
β βΌ
βΌ ββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββ Retry Inspector (Clear β
β Verify API Hostnames ββ Cache + Debug Mode) β
β Match Exactly βββββββββββββββββββββββββββββ
βββββββββββββββββββββββββ β
β βΌ
βΌ ββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββ | Regenerate API Keys & β
β Ensure proper Admin API β | update in Liongard β
β permissions assigned β | β
ββββββββββββββββββββββββββββ ββββββββββββββββββββββββββββ
β β
βΌ βΌ
βββββββββββββββββββββββββ
β Inspector completes β
β successfully β
βββββββββββββββββββββββββ
Contact Support π¦
If the issue remains unresolved after performing the above steps, Contact Liongard Support. Include the following:
Inspector Name
Error message
Debug logs
Confirmation of Admin/Accounts API setup
Whether Duo has already validated tenant migration
Our Support team is happy to help π
β
π¬ Start a chat with Leo (Our AI Assistant) or connect with a live support engineer.
π§ Email: support@liongard.com