cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2153
Views
4
Helpful
16
Replies

Microsoft Mandatory MFA - Using DUO

bjames
Level 5
Level 5

So I keep getting the notice from Microsoft they will mandate MFA for Azure, etc. by Oct, 15th. We are currently using Duo for MFA to 365/Azure/etc. It seems like Microsoft is pointing to their Authenticator app for MFA, Is there a way we can insure it accepts Duo after their push to MFA?

Their documentation does really show a way to use a third party app, has Duo already tackled this issue?

 

Thanks in Advance

16 Replies 16

bjames
Level 5
Level 5

Thank you for the second one, I am still not convinced Microsoft will make it smooth as they only list third parties and a secondary method of authentication. I will go though our policies and see if they are set in a way so we won't lose MFA come October.

 

Ok in review it looks like the proper setup is protection with Microsoft Entra ID in Duo. I guess my next question is do you still need the MS 365 Duo app protection as well, or both, or more? Can someone from Duo chime in?

 

 

DuoKristina
Cisco Employee
Cisco Employee

@bjames what exactly are you referring to when you say "MS 365 Duo app protection"? Do you mean M365 federated with Duo SSO?

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication#external-authentication-methods-and-identity-providers says:

"Support for external MFA solutions is in preview with external authentication methods, and can be used to meet the MFA requirement. The legacy Conditional Access custom controls preview won't satisfy the MFA requirement. You should migrate to the external authentication methods preview to use an external solution with Microsoft Entra ID. 

If you're using a federated Identity Provider (IdP), such as Active Directory Federation Services, and your MFA provider is integrated directly with this federated IdP, the federated IdP must be configured to send an MFA claim."


If you look at the various way Duo can protect Azure/Entra/M365 logins (most listed on https://duo.com/docs/o365), some of them can satisfy Microsoft's MFA claim and some cannot.

  • Duo External Authentication Method for Entra ID External Authentication Methods (EAM) - YES
  • Duo Two-Factor Authentication for Microsoft Entra ID (formerly Azure Active Directory) - NO
  • Single Sign-On for Microsoft 365 with Duo Single Sign-On - YES
  • Single Sign-On with Duo Access Gateway - NO
  • Duo Multifactor for Microsoft Active Directory Federation Services - YES
  • Single Sign-On with Third-Party Identity Providers - It depends on the IdP, and one would need to ask them if they send the MFA claim to Microsoft if someone authenticated at their service with their Duo integration.

If you already use Duo SSO for Microsoft 365, and every user who accesses the consoles and apps Microsoft listed in their email notice about MFA logs in through Duo SSO, then you're likely already meeting the requirement. If you have cloud-only (as in, not federated) users who sign into those consoles, who don't sign in with Duo at all right now, or sign in via the Duo custom control for CA, they don't meet the requirement and the recommended solution that features Duo would be Duo for Microsoft EAM for those cloud-only users - but this solution could co-exist with an SSO solution for federated users.

Duo, not DUO.

Thanks Kristina,

 

We currently have M365 protected with Duo MFA, but MS wants the MFA specifically set a different way. I assume in Entra, which I do see as an option to protect in Duo. I guess the question is do I need M365 app as well as the Entra App protected via Duo? How will this affect our current 365 Duo implementation?

 

Thanks

 

If by "M365 app" you mean "Duo SSO for Microsoft 365", no you do not need this if you aren't already using it to achieve compliance with this new requirement, but also if you are already using Duo SSO for M365 (when you look at your applications in the Duo Admin Panel you have one of the type "Microsoft 365"), that can meet the MFA requirement for any user who is federated and signs into Entra using Duo SSO.

If you are currently using the Duo custom control for Entra conditional access (when you look at your applications in the Duo Admin Panel you have one of the type "Microsoft Azure Active Directory"), you will need to switch to something else, and the easiest option for you to switch to is using Duo for Microsoft Entra ID EAM in your Entra ID conditional access policies instead.

ETA: here's a scenario where someone might want to have two different types of Duo apps in use with Entra ID:

- You have users you sync into Entra from an on-premises AD domain and you have Duo SSO federated with Microsoft 365 so that these users sign in with Duo MFA, but your Entra admins aren't included in the population of federated users.
- You configure Duo for Entra ID EAM as well and apply Duo MFA this way via conditional access policies to the Entra admin accounts that aren't federated (exist in cloud only).
- Result: everyone gets Duo'd.

Duo, not DUO.

I have a follow up question.  I understand that if we are using the legacy Duo Two-Factor Authentication for Microsoft Entra ID with the custom control that this will no longer satisfy the MFA claim in 365 for admin access, as it's clear this MFA enforcement change by Microsoft is currently targeted at users accessing the admin portals.  What's not clear is if the legacy method using the custom control to require "DuoMFA" will also start failing for regular users MFA when they log into their productivity apps or portals.  Can you provide clarity?  

I'm not sure that's true, if you go into EntraID and list your users, is it showing MFA enabled for the users in question?

I'm not talking about per-user MFA in the 365 portal.  I'm talking about the Duo Two-Factor Authentication for Microsoft Entra ID with the custom control.  That's being deprecated for the admin portals and you have to switch to the EAM method.  The question is will the old way still satisfy a Conditional Access rule for regular users.    

DuoKristina
Cisco Employee
Cisco Employee

We have a kb article about the MFA requirement for Entra here: https://help.duo.com/s/article/8915?language=en_US (that reiterates some of what I've already shared).

Duo, not DUO.

bjames
Level 5
Level 5

Thank you Kristina, Yes we are using Duo SSO for Microsoft 365. I don't think this covers the Microsoft requirements for MFA as we are still getting warning emails from MS. We will add the Duo for MS Entra app and follow MS's External Authentication method in Entra to set this up. I guess my next logical questions would be what are the ramifications of having both the Duo apps - 365 and Entra at the same time?

Thanks

>Yes we are using Duo SSO for Microsoft 365. I don't think this covers the Microsoft requirements for MFA as we are still getting warning emails from MS. 

This makes me think you have admins (as in, accounts assigned some Entra admin role) who aren't coming from your on-prem AD via AAD Connect sync, so yeah, you would want to apply the Duo EAM method to them. 

If you set up M365 federation with Duo SSO prior to Feb 2022 you should make sure that you enabled the "SupportsMFA" option for the federated domain: https://help.duo.com/s/article/7538.

> I guess my next logical questions would be what are the ramifications of having both the Duo apps - 365 and Entra at the same time?

Nothing; they can co-exist. The one thing you'd want to watch out for is that you don't want to apply an Entra conditional access policy requiring the Duo EAM method to your federated users who sign in with Duo SSO, or they would pass through Duo auth twice: one MFA at Duo SSO followed by another MFA using EAM.

Duo, not DUO.

bjames
Level 5
Level 5

OK I think I get it, we can use both but the local Entra Admins (not in Sync'd AD) will need conditional access setup and the other Federated users using Duo do not require it.

Am I understanding this correctly?

Yes.

Duo, not DUO.

bjames
Level 5
Level 5

Thank you so much! I wish Microsoft was this helpful

Quick Links