This error typically points to a misconfiguration or a change in the authentication flow. Based on the error message, it appears that the externalAuthenticationMethodId parameter is missing or incorrectly passed in the request body, which is crucial for the External Authentication Method (like Duo MFA) to function correctly.

Potential Causes:
Azure AD Changes:

It's possible that Microsoft recently introduced an update or change to Azure AD (Entra ID), or specifically to the MFA or external authentication configuration, which could have impacted how external MFA methods (like Duo) are integrated. Microsoft sometimes rolls out updates that could alter API requests or expected configurations.

Duo Configuration Issues:

If there's a mismatch between your Duo configuration and Azure AD's requirements, especially with External Authentication Method (EAM), it could lead to missing parameters or broken authentication flows.

Check if there are any recent updates or changes in Duo's integration with Azure AD.

Recent Changes in API or Authentication Settings:

If you've made any recent changes in Azure AD's conditional access policies, MFA settings, or third-party authentication methods (like Duo), this could cause the issue.

Sometimes, API updates or changes to authentication protocols may require new configurations or updates to maintain compatibility.

Token Expiry/Issues:

Another possibility is a token issue. Sometimes tokens used in MFA flows, particularly for external authentication methods, can expire or become invalid, causing the missing parameter error.

Entra/AD Sync Issues:

If your Entra ID (Azure AD) setup involves syncing with on-premises AD, there may be a delay or sync issue causing the missing parameter.

Steps to Troubleshoot:
Review Azure AD Logs:

Check Azure AD sign-in logs for more specific details about failed authentication requests.

Navigate to Azure Portal > Azure Active Directory > Sign-ins to see detailed logs and any specific details regarding the failure.

Check External Authentication Settings:

Verify your External Authentication Method (EAM) settings within Azure AD. Ensure that the Duo integration is configured correctly and that it is properly registered with Azure AD.

Confirm that the externalAuthenticationMethodId is correctly passed in the MFA request.

Revisit Duo MFA Settings:

Make sure that Duo’s MFA integration is still active and properly configured with Azure AD. Verify any recent Duo updates or changes to their Azure AD integration documentation that may impact the flow.

API/SDK Updates:

If you're using an SDK or custom integration for Duo with Azure AD, verify that you are using the latest version of the Duo Authentication API.

Check for any announcements from Duo or Microsoft about recent API changes.

Check Conditional Access Policies:

If you are using conditional access policies in Azure AD, make sure that the policies are correctly configured to allow Duo MFA as an external authentication method.

Review whether the policies might have changed recently and could be causing issues.

Test with a Different User:

Test the MFA flow with another user or service to see if the issue is specific to certain accounts. If other users can authenticate without issues, it might be an account-specific configuration problem.

Contact Support:

If the issue persists and there have been no recent updates from Microsoft or Duo regarding the integration, consider reaching out to Microsoft Support and Duo Support to investigate any ongoing issues on their end.

We have just setup Duo EAM into our 365 tenancy and getting the same issue. I have logged a Duo Support case, however my thinking based on the above it's likely a config change from MS causing this. We haven't had a successful click through to the Duo MFA yet, and I'm hesitant to remove all MFA methods for a user in case it 'bricks' them. Watching this thread closely. Please let us know if you get a result back from Microsoft on this!

I'm sorry you're having issues with EAM auths! We have started hearing some reports of this via Duo support as well. We don't yet know what's going on but feel it's highly likely a Microsoft issue since we haven't made any EAM-specific deployment changes this week, and the error is happening before Duo is involved.

I encourage you to contact Duo Support to open a case and explicitly mention the "requested body must contain the parameter external authentication method id" error and provide a correlation ID you received from Entra with the error. We are tracking these cases to present to our technical partner contacts at Microsoft.

We also suggest that you engage Microsoft support to report this as well, so they are directly aware of the problem

I have completed the Authenticaton Migration as ours was in partially completed.  in https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AdminAuthMethods
This has completed the Authentication migration settings and removed all other methods of MFA other than Duo EAM, and it's now working for me. Felt a bit like a risky thing to do as if it didn't work I'd have no way to log in, but it's resolved now. Hope this helps others to fix theirs. 

Hey everyone, thanks for sharing your experiences and possible fixes! Microsoft has acknowledged this issue on their end and they are currently working on a fix and an ETA. I'll return here with a final update once I know their fix timeline. 

At this time, we don't need additional correlation ID's to pass along to the Microsoft team, but please feel free to engage with Microsoft and Duo support teams if you'd like for due diligence.

Just confirming - the issue seems to be resolved for us now MS has implemented the fix.

__PRESENT

Thanks everyone, can confirm its now working also. Have a great day =]