I’m currently using DUO with ADFS 3.0 (Server 2012 R2) in conjunction with Azure Conditional Access Policies. When signing in to Office 365, I am redirected to ADFS and after sign-in, receive an MFA challenge from DUO as expected. The problem is that if the user who is authenticating has not previously registered for Azure MFA, they are prompted to do so after the successful DUO MFA challenge. Does anyone know if this is expected behaviour before I start digging in to the SAML token?