cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5288
Views
0
Helpful
10
Replies

OWA MFA only for External users

davidm2232
Level 1
Level 1

We have users that access our Exchange 2013 server over OWA from both inside and outside our network. We would like to implement DUO MFA ONLY for users accessing OWA from the internet. We do not want our internal users to be prompted for MFA. Is this possible?

1 Accepted Solution

Accepted Solutions

Do you have other authentication policies defined that may be overriding the authorized networks setting? Like, if you set the User Location policy to require 2FA for your location, that supersedes Authorized Networks bypass for any network identified as being in that location.

Please contact Duo Support for 1:1 troubleshooting. We can’t review your unique setup to the degree that would be needed here in this public discussion forum.

Duo, not DUO.

View solution in original post

10 Replies 10

mkorovesisduo
Level 4
Level 4

Yes, you can accomplish this via an Authorized Networks policy.

Looks like we need the premium DUO service for this. I am trying to get approval to upgrade. Would we be able to apply that just to certain protected applications? There are internal things we want protected by MFA also

David, You do not need the Premium license, the Access license will work.

mkorovesisduo
Level 4
Level 4

Yes, you can apply an application-level or global authorized networks policy with Duo MFA (the least-expensive paid edition). You can learn more about our editions here: Pricing | Duo Security

bjames
Level 5
Level 5

Doesn’t seem to work for us, added the NAT’d network IP for the Server as that seems to be the source in the log files, but it is still prompting the user. Will reach out to suport

@StealthNet

You wouldn’t add the Exchange server’s IP to the authorized networks policy to bypass. You would add the client IPs. This may be the NATed address.

Example:

  • Your internal network is 10.1.0.0/16
  • Your external IP is 1.2.3.4

When the web clients from within your office network access Duo, the IP address reported to Duo is likely the external one (as we record the IP address of the system that displays the Duo prompt as the client IP).

So if you add 1.2.3.4 as the network that doesn’t require 2FA, any web client that comes from that address bypasses Duo auth while client access from any other IP would not.

Duo, not DUO.

Even if we add the nat address it doesn’t work, still prompts

Robert James
President

Stealth Network Services Inc.** **

403-281-8701, Ext. 201 | 207, 4954 Richard Road SW | Calgary, AB | T3E 6L1

Do you have other authentication policies defined that may be overriding the authorized networks setting? Like, if you set the User Location policy to require 2FA for your location, that supersedes Authorized Networks bypass for any network identified as being in that location.

Please contact Duo Support for 1:1 troubleshooting. We can’t review your unique setup to the degree that would be needed here in this public discussion forum.

Duo, not DUO.

bjames
Level 5
Level 5

Yes this is what it was, the User location was overriding the Allowed networks. I wish there is a document that would highlight preference order, as we would like to have both options as well as country all at the same time.

Thanks for the suggestion. We can try to get more clarifying information available.

Duo, not DUO.
Quick Links