Regarding the alerts I posted, of course this only runs after the Duo inspector updates, so typically we tell our team "Don't leave a user in bypass, but if you do(for example VPN troubleshooting), we'll receive a ticket no later than the next day for the issue. In other words, it's of course not a real-time alert, as Roar/Duo process doesn't have real-time inspections.

We have implemented this for our clients by the following methods against the Duo inspector: Created a metric for "Duo: Bypassed User Count": Users[?status == ] | length(@)Then for the specific user(s) "Metric":Users[?status == ].realname | join(, @)Finally, the alert rule: CONDITIONSDuo: Bypassed User Count > 0High priorityBODYThere is a user within this Duo tenant that is currently in Bypass which may allow them to circumvent the multi-factor authentication process. This is a critical alert that needs to be reviewed as soon as possible. Duo Security: Detect Bypassed Users: {{Duo Security: List Bypassed Users}} ALERT COMMENTSDuo Security: Detect Bypassed Users: {{Duo Security: List Bypassed Users}} These users are currently bypassed and need to be resolved.TEMPLATES (our template name)