Solved: Re: Azure AD web login MFA and Duo

pgp · ‎05-12-2021

Can (or will) Duo be an equal choice along with Azure’s MFA?

Today, if one is doing a plain non-federated login at https://login.microsoftonline.com/ and the account has Azure MFA configured, it appears that Duo can’t be set up to satisfy (some?) Azure MFA requests.

We have Duo configured in our Azure AD Tenant and my account requires it. When I login, I get the Duo page and do that, all good. But if I then visit https://myaccount.microsoft.com/ and try to view my ‘Security info’, I have to use one of the Azure MFA methods which I previously configured on that security page.

-Phil

DuoKristina · ‎02-09-2022

Hello @pgp ,

You’re right. In the current custom MFA controls for conditional access feature, third-party controls like Duo’s are unable to satisfy the multipleauthn authentication method reference (AMR) claim requirement that lets Azure recognize these controls as satisfying an MFA requirement. This constraint is briefly described in the second bullet here.

Today we do not have much more information about Microsoft’s timeline for the successor to the current custom controls solution than what’s in the 2020 post.

Duo, not DUO.

View solution in original post

Amy2 · ‎05-13-2021

Hi Phil, thanks for sharing your question here. I don’t know the answer to this myself, but I will take it back to the team and look into it for you. Just wanted you to know I saw your post and am working on getting the solution!

Amy2 · ‎05-14-2021

Hi again, I have a few follow-up questions if you don’t mind. This will help us with sorting out what’s going on here I was reading Microsoft’s documentation about security info and codes and I just wanted to confirm you removed the Azure MFA methods you previously configured? Also, how long ago did you remove those?
I noticed on the page:

Note: If you request removal of all security info in your account, the info doesn’t actually change for 30 days. During this time, we cannot accept further changes or additions to security settings or billing info.

So depending on when you removed those from your profile, you might still be prompted if you are within the 30-day window.

pgp · ‎02-08-2022

Not directly answering your questions, but maybe this will help explain: I’m looking for the “upcoming changes” to be implemented that Microsoft mentions in Upcoming changes to Custom Controls. That work sounds like it would give Duo parity with Azure MFA.

Amy2 · ‎02-08-2022

Ah ok, that does help. I definitely misunderstood your question. Thank you for clarifying!

Yes, you’re exactly right. Since this is dependent on the changes that Microsoft is making, and I unfortunately do not have visibility into the status of those changes, I don’t have a timeline or estimate to share of when that would be available.

DuoKristina · ‎02-09-2022

Hello @pgp ,

You’re right. In the current custom MFA controls for conditional access feature, third-party controls like Duo’s are unable to satisfy the multipleauthn authentication method reference (AMR) claim requirement that lets Azure recognize these controls as satisfying an MFA requirement. This constraint is briefly described in the second bullet here.

Today we do not have much more information about Microsoft’s timeline for the successor to the current custom controls solution than what’s in the 2020 post.

Duo, not DUO.