Solved: OWA MFA only for External users

davidm2232 · ‎07-01-2019

We have users that access our Exchange 2013 server over OWA from both inside and outside our network. We would like to implement DUO MFA ONLY for users accessing OWA from the internet. We do not want our internal users to be prompted for MFA. Is this possible?

DuoKristina · ‎01-31-2020

Do you have other authentication policies defined that may be overriding the authorized networks setting? Like, if you set the User Location policy to require 2FA for your location, that supersedes Authorized Networks bypass for any network identified as being in that location.

Please contact Duo Support for 1:1 troubleshooting. We can’t review your unique setup to the degree that would be needed here in this public discussion forum.

Duo, not DUO.

View solution in original post

mkorovesisduo · ‎07-01-2019

Yes, you can accomplish this via an Authorized Networks policy.

davidm2232 · ‎07-01-2019

Looks like we need the premium DUO service for this. I am trying to get approval to upgrade. Would we be able to apply that just to certain protected applications? There are internal things we want protected by MFA also

bjames · ‎02-27-2020

David, You do not need the Premium license, the Access license will work.

mkorovesisduo · ‎07-01-2019

Yes, you can apply an application-level or global authorized networks policy with Duo MFA (the least-expensive paid edition). You can learn more about our editions here: Pricing | Duo Security

bjames · ‎01-28-2020

Doesn’t seem to work for us, added the NAT’d network IP for the Server as that seems to be the source in the log files, but it is still prompting the user. Will reach out to suport

DuoKristina · ‎01-31-2020

@StealthNet

You wouldn’t add the Exchange server’s IP to the authorized networks policy to bypass. You would add the client IPs. This may be the NATed address.

Example:

Your internal network is 10.1.0.0/16
Your external IP is 1.2.3.4

When the web clients from within your office network access Duo, the IP address reported to Duo is likely the external one (as we record the IP address of the system that displays the Duo prompt as the client IP).

So if you add 1.2.3.4 as the network that doesn’t require 2FA, any web client that comes from that address bypasses Duo auth while client access from any other IP would not.

Duo, not DUO.

bjames · ‎01-31-2020

Even if we add the nat address it doesn’t work, still prompts

Robert James
President

Stealth Network Services Inc.** **

403-281-8701, Ext. 201 | 207, 4954 Richard Road SW | Calgary, AB | T3E 6L1

DuoKristina · ‎01-31-2020

Do you have other authentication policies defined that may be overriding the authorized networks setting? Like, if you set the User Location policy to require 2FA for your location, that supersedes Authorized Networks bypass for any network identified as being in that location.

Please contact Duo Support for 1:1 troubleshooting. We can’t review your unique setup to the degree that would be needed here in this public discussion forum.

Duo, not DUO.

bjames · ‎02-11-2020

Yes this is what it was, the User location was overriding the Allowed networks. I wish there is a document that would highlight preference order, as we would like to have both options as well as country all at the same time.

DuoKristina · ‎02-20-2020

Thanks for the suggestion. We can try to get more clarifying information available.

Duo, not DUO.