02-08-2021 09:02 AM
Hi,
we’re using Cisco Duo within our ADFS Farm (Windows 2019). We’re federating with O365 and requiring MFA for external Access. As long as a usermailbox is located on on-prem Exchange there’s no problem. If the user has a cloud mailbox Outlook keeps asking for password on profile/account generation. I’ve read through this artikel here: Knowledge Base | Duo Security but even if I configure the mentioned additional authentication rule " Example custom rule to globally disable 2FA on ActiveSync and Autodiscover endpoints while requiring 2FA for all other connection types" it won’t work. As soon as I disable MFA for external access the Outlook profile generation works as expected. Using Outlook 2013 or Outlook 2016 doesn’t make a difference.
Anyone here who has solved this?
Regards
Solved! Go to Solution.
02-22-2021 05:51 AM
Hi,
after taking some time for evaluating my environment regarding O365 and Duo an ADFS I think I found the culprit.
I had modified the Access Control Policy on the O365 Relying trust party which effectively prohibited the use of additional authentication rules. After cleaning up my mess, I was able to find a functional way to achive the desired goal.
I used the following aar
exists([Type == “http://schemas.microsoft.com/ws/2012/01/in■■■■■■■■■■■■■■■■■■■■”, Value == “false”])
&& NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value =~ “Microsoft.Exchange.ActiveSync|Microsoft.Exchange.Autodiscover”])
=> issue(Type = “http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod”, Value = “http://schemas.microsoft.com/claims/multipleauthn”);
Taken from https://www.michev.info/Blog/Post/1393/ad-fs-and-mfa-configuring-multiple-additional-authentication-rules
Actually that is nearly identically to
https://help.duo.com/s/article/3174?language=en_US
Probably in this duo help article the “correct wording” should be additional authentication rules instead of advanced authentication rules.
If somebody tries to use the solution please consider the html formating, which will not help with adfs powershell.
02-09-2021 11:14 AM
I’ve had this problem, too. I had to use this fix: Knowledge Base | Duo Security
Let us know if that resolves your issue. Good luck!
02-11-2021 12:08 PM
Thanks, John, for sharing that answer here! @Deckard99 - please let us know if there is anything else we can help with. We appreciate you sharing your question in the community!
02-12-2021 06:00 AM
Hi John, Hi Amy,
unfortunatly that did not help. Can anyone tell, if the O365 Tenant has modern authentication activated for that to work?
Regards
02-22-2021 05:51 AM
Hi,
after taking some time for evaluating my environment regarding O365 and Duo an ADFS I think I found the culprit.
I had modified the Access Control Policy on the O365 Relying trust party which effectively prohibited the use of additional authentication rules. After cleaning up my mess, I was able to find a functional way to achive the desired goal.
I used the following aar
exists([Type == “http://schemas.microsoft.com/ws/2012/01/in■■■■■■■■■■■■■■■■■■■■”, Value == “false”])
&& NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value =~ “Microsoft.Exchange.ActiveSync|Microsoft.Exchange.Autodiscover”])
=> issue(Type = “http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod”, Value = “http://schemas.microsoft.com/claims/multipleauthn”);
Taken from https://www.michev.info/Blog/Post/1393/ad-fs-and-mfa-configuring-multiple-additional-authentication-rules
Actually that is nearly identically to
https://help.duo.com/s/article/3174?language=en_US
Probably in this duo help article the “correct wording” should be additional authentication rules instead of advanced authentication rules.
If somebody tries to use the solution please consider the html formating, which will not help with adfs powershell.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide