I am so afraid to enable Duo EAM as I had to use the "require re-registration MFA" in my test tenant to get myself out of some endless loop of Microsoft MFA. I have to have SSPR, is the only solution (for now) having users register for both Duo & Microsoft MFA?
@Adminnnn that's correct. We're hoping for some improved controls that would help with these scenarios but are not sure exactly what that would look like yet. We're prefer SSPR support EAM and are waiting for that so your users don't have to dual-enroll in MFA just for that!
I am curious how others are handling file sharing within Microsoft SharePoint / OneDrive. If you want to enforce MFA for those External users, when using EAM are they going to be forced to setup a Duo MFA account? This seems to be the case. This will start to add up in costs for me as the MSP / in turn the customer. Hoping maybe I can enforce Microsoft MFA for those users. Has anyone set this up with EAM / Duo and external users?
@Adminnnn you can't; this is another show stopper with the EAM integration. Duo doesn't support Azure AD Guest accounts and Microsoft doesn't let us give Guests different authentication methods in the policy.
What needs to happen is Microsoft improves the Authentication Methods Policy and lets you select separate options for Guests vs Users. This way I can force my Guests to use MS authenticator and my Users Duo. This is what we do today with the Conditional Access Policies integration.
Uggh any reason to switch to EAM then? Seems like more of a headache than anything else (not blaming Duo here, but it doesn't sound ready for prime time). I am wondering the use case of EAM at this time....
I can't wait to transition to EAM but it's abundantly clear that Microsoft EAM isn't ready yet, so no there's no reason to switch today in my opinion. Once they mature the solution though it'll be awesome to have Duo treated as an actual MFA method by Microsoft and no longer need to have a dozen Conditional Access policies
Entra external guest users can be added to groups, so you can for example use the auth methods policies to define different auth methods for these guest users while your internal users only have access to the Duo method. This might be a bit more of a management overhead / process when bringing on external guests, but it is solvable using the include / exclude group capabilities available within the Microsoft auth methods policies.
Another thing, and as mentioned in our docs, external guests and cross-tenant users are not yet supported with Duo's EAM integration. This is a limitation on our side and we are working on adding this support in the future. So currently, even if you wanted to, you could not protect external guests via EAM and should absolutely exclude (or not include) those users from the Duo EAM until we announce support has been added (and if you want to allocate Duo licenses towards these users, of course).
Managing external guests via groups is not feasible for most businesses. Guests pop up all the time, often with no notice, so to rely on IT to add them to the right group is a bit crazy. EAM really won't be feasible for most until you can set methods for all Guests like you can with Conditional Access Policies.
For the same reason as above, at least for me I have NO desire to support Guest accounts in Duo unless Cisco decides they don't consume licenses. It would be quite expensive AND impossible to budget for. Am I going to have 50 active guests this month of 500? Who knows - there's often no stopping the business inviting guests. Oops - Greg in Legal just invite an external law firm of 100 to a Sharepoint site and now we're soo over licensed in Duo break out the check book.
I'd argue it would be best for Cisco to simply NOT require licenses for Guests to encourage adoption anyway.
Way too difficult to plan / budget for. Users can invite guests without IT approval in most cases and they've never had to worry about paying for them so far.
Cisco's taken FAR too long to support Guests. Everyone's had to find another solution (normally a free one), so why would I pay now?
Guests are far different than regular users/employees. They're too dynamic. A Guest account could be used for 2 months then not used for 2 years before logging in again. You expect everyone to license that guest all that time?
Getting 3rd parties to adopt Duo in the first place would be an uphill battle for any business. It's hard enough to get them to use Microsoft Authenticator but at least that's common now.
As much as I can't wait to migrate, EAM won't work for most until Entra ID Authentication Methods supports setting separate policies for Guests vs Users just like they do today with Conditional Access Policies.
I would think a dynamic group would work to identify those guest users and as mentioned force them to Microsoft MFA since it is free. I can be hands off at that point, I don't want to start supporting guest users Duo issues nor pay for them consuming a Duo user anyways. I will give this a try.
Is anyone else here seeing issues with users getting redirected to EAM even though they are excluded from the EAM conditional access policy? This issue seems to have started last week. When a user does not have SSPR set up instead of redirecting them to the legacy SSPR where they can setup back up password reset methods, instead they get sent to EAM where they are unable to continue since they are not configured in DUO, our EAM provider. We're using the legacy SSPR and are in "not migrated" status because I don't think DUO can support SSPR yet.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
