cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
409
Views
0
Helpful
4
Replies

AD user bypassing DUO MFA for web app

GusGalindo
Level 1
Level 1

Hello community, 

I am facing a rather particular challenge and would like to have your guidance or opinions. 

I work for a company that provides online training to schools as SAS. 

One of our customers login to our system using SSO with Microsoft Active Directory. 

Recently they have implemented DUO to add MFA to their Azure SSO access and protection to 365 as well. 

They want to also protect 3rd party vendors, like us, using DUO. 

They have added our web application to the conditional access policy but is bypasses the MFA DUO event, whereas for other vendors works fine. 

We noticed it is possible to trigger MFA event if they select "all applications" in the conditional access policy, however it is risky and not recommended by Microsoft. 

The workflow experienced is as follows:

Users go to MyWebApp application --> click on "Login with Microsoft" --> Redirected to Microsoft Login Page --> User inserts username and password --> Access is immediately granted access to MyWebbApp application. (DUO confirmation step is bypassed)

I have not experience with DUO as this is my first approach with this technology. I have been investigating a lot but coulnd't find a solution. 

Not sure is we have to modify our app code to accept DUO claims somehow or its just a configuration setup in Azure/DUO. 

thanks for your reply. 

1 Accepted Solution

Accepted Solutions

>implementing DUO API for php on my web app

What this would do would be to enforce Duo on your app no matter how someone logs into it. If Azure was correctly sending those users to Duo for MFA, adding Duo PHP to your app would make them 2FA twice.

I can't think of any way to test what they see other than you having a test Azure tenant where you have added your app to the enterprise apps, and then you signing up for a Duo trial so that you can also set up Duo 2FA in your test Azure tenant's Entra ID, and then configuring the same conditional access policies in Entra and seeing what happens.

Duo, not DUO.

View solution in original post

4 Replies 4

DuoKristina
Cisco Employee
Cisco Employee

If the question is "Why does the app selection for the Entra conditional access policy not apply to our application?" the answer probably isn't on the Duo side. The fact that "all applications" works but picking your app in Entra doesn't means it is an issue in Entra CA policy assignment, and not in Duo.

I suggest they contact Microsoft support.

The Duo service can only respond to the requests we get from downstream authenticating services; and can't provide any insight to the requests we do not get because the authenticating service (Entra) doesn't send them.

Duo, not DUO.

Hi Kristina, 

Thanks for your response. 

I was also exploring he option of implementing DUO API for php on my web app. (https://duo.com/docs/authapi#authentication) However I do not think that would solve my customer's problem since implementing DUO API in my webapp has nothing to do with their Entra configuration, like you mentioned and I agree with you, I think there is something on their Entra Policy they would need to adjust. 

Do you have any suggestions on how can we test their configuration and confirm if Entra is whether or not sending the requests to DUO? 

>implementing DUO API for php on my web app

What this would do would be to enforce Duo on your app no matter how someone logs into it. If Azure was correctly sending those users to Duo for MFA, adding Duo PHP to your app would make them 2FA twice.

I can't think of any way to test what they see other than you having a test Azure tenant where you have added your app to the enterprise apps, and then you signing up for a Duo trial so that you can also set up Duo 2FA in your test Azure tenant's Entra ID, and then configuring the same conditional access policies in Entra and seeing what happens.

Duo, not DUO.

Hi Kristina, 

Thank you so much for your response, that make totally sense, my thinking was around the same lines, I am actually in the process of implementing an Azure tenant to test the same scenario. 

Thanks for your support it was really really helpful. 

Quick Links