Re: AD user bypassing DUO MFA for web app

GusGalindo · ‎09-12-2024

Hello community,

I am facing a rather particular challenge and would like to have your guidance or opinions.

I work for a company that provides online training to schools as SAS.

One of our customers login to our system using SSO with Microsoft Active Directory.

Recently they have implemented DUO to add MFA to their Azure SSO access and protection to 365 as well.

They want to also protect 3rd party vendors, like us, using DUO.

They have added our web application to the conditional access policy but is bypasses the MFA DUO event, whereas for other vendors works fine.

We noticed it is possible to trigger MFA event if they select "all applications" in the conditional access policy, however it is risky and not recommended by Microsoft.

The workflow experienced is as follows:

Users go to MyWebApp application --> click on "Login with Microsoft" --> Redirected to Microsoft Login Page --> User inserts username and password --> Access is immediately granted access to MyWebbApp application. (DUO confirmation step is bypassed)

I have not experience with DUO as this is my first approach with this technology. I have been investigating a lot but coulnd't find a solution.

Not sure is we have to modify our app code to accept DUO claims somehow or its just a configuration setup in Azure/DUO.

thanks for your reply.

DuoKristina · ‎09-12-2024

If the question is "Why does the app selection for the Entra conditional access policy not apply to our application?" the answer probably isn't on the Duo side. The fact that "all applications" works but picking your app in Entra doesn't means it is an issue in Entra CA policy assignment, and not in Duo.

I suggest they contact Microsoft support.

The Duo service can only respond to the requests we get from downstream authenticating services; and can't provide any insight to the requests we do not get because the authenticating service (Entra) doesn't send them.

Duo, not DUO.