Curious if anyone has gotten this to work. I've followed the documentation and can make it work for new users, but if I'm migrating an existing user from the prior CA policy to the new EAM policy, it's not working and fails on the MFA.
I reached out to my Microsoft consultants who don't believe it's related to the config on the Entra side, so I'm wondering if anyone got this working what they had to do to move existing users to the EAM policy?
It's working but we did have some timing issues when migrating someone over to the new policy. It seems the new EAM option didn't show up right away and they might have to try logging in several times before it shows up. Seems a bit glitchy, but it does work eventually.
I remember a similar experience as @nlev when I tested this (before release) with an existing user that previously I had assigned a policy requiring the Duo CA custom control instead.. I thought I made a mistake with the policy config, because the user was still getting sent to the CA control after I applied all changes. I got busy with other things, and then tried it again later and the new EAM method for Duo showed up instead of the custom control flow.
We tried to switch everyone over to EAM but had to panic revert the change because too many people were encountering that issue. Maybe if we wait a bit longer next time and have people retry they will eventually get through the login. Not a great user experience, but hopefully we can get through it and eliminate the old custom control.
Hi @kkraft! As @nlev mentioned, it could be propagation time for the configuration change, but it's hard to know for sure based on your description of the problem of "fails on the MFA". I would make sure to give the change 5-10 minutes to apply and then test again.
It's worth mentioning, as this could possibly be your issue, that EAM is different from the prior integration to allow the MFA claim to be established in Azure / Entra. Microsoft requires a valid authentication method to be used in order to establish MFA. For this reason, any type of policy that is applied that would bypass MFA will not work with the EAM integration. This includes the new user policy, authentication policy, user location, and authorized networks policy. If any of these policies are configured to bypass users, EAM will not work and the authentication will fail as Duo has no valid authentication method to send to Microsoft that would establish an MFA claim.
If the issue is not resolved after reviewing this, please take a screenshot of the error encountered, noting the URL the browser is navigated to at the time of the error. We'll also want the integration key / client ID for your EAM application, as well as usernames and timestamps. With this information in hand, I would recommend contacting support so they can assist you further with this! Thanks for reaching out!
We have deployed this for around 5 customer environments (Around 200 users) without any significant issues.
The main things to triple-check would be:
MFA Registration Policy is set to exclude your group tied to the CA policy in Entra ID
Duo EAM is the only Enabled application for the group tied to the CA policy and the group is excluded for every other method.
In our environments, Guest Users would still be allowed to use MS Authenticator for Guest Access.
Removing your user group tied to the Duo Application and CA in Entra ID for the previous Auth Method once the new EAM Policy and Application is turned on.
Android seems to be a bit buggy with EAM, and we have had to delete a few authenticators tied to android devices and allowed the users to enrolle.
Deleting any MFA methods registered to the users account in Entra ID
Having the User remove MS Authenticator from their devices if previously used.
Set your previous CA policy to Disabled in Entra ID, remove your Group(s) from the Application in Duo and/or delete the non EAM application all together.
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
