12-11-2021 04:35 AM
All of my users are synced to my Duo portal from Azure AD and all of them have enrolled their mobile devices. I’ve setup an authentication proxy and have my default domain ready to go in my tenant. My next steps are to federate my domain then add the Office 365 application in the Duo admin panel. Will my users lose the ability to login after I federate my domain? I assume they won’t start using Duo for authentication until I get the application setup in the Duo admin panel?
The majority of my users have Outlook installed and we see the Office 365 prompt to login. When we do cutover to Duo for authentication will we start to see a Duo prompt rather than a 365 prompt?
12-13-2021 05:20 AM
Hi @opsteam,
If you’re following our instructions for Microsoft 365 with Duo SSO you should be instructed to create the Duo Admin Panel application first and then download a PowerShell script that will help you through the federation.
Once your domain is federated when asked to authenticate users will be prompted and shown the Duo SSO login page instead of the Microsoft login page.
12-13-2021 07:24 AM
Thank you Jamie! Do you happen to have a screenshot of what the SSO login page looks like so I can send to my users?
12-13-2021 07:41 AM
The page will look like this: Duo Single Sign-On - Guide to Two-Factor Authentication · Duo Security
I’d recommend enabling Duo Central which will let you see what the login experience will look like and also can act as a hub for users to be able to get to all their applications.
12-13-2021 07:43 AM
Perfect. Thank you again for your help Jamie! I will definitely take a look at Duo Central.
12-13-2021 02:28 PM
So close to having this deployed. I have the 365 application setup, I’ve tested through the authentication proxy using authproxy_connectivity_tool.exe, and I’ve downloaded the Powershell script I need to federate my domain. I can’t seem to find documentation outlining the requirements to allow self service password resets for my users though. Is there anything I need to setup for them to have that ability?
12-13-2021 03:00 PM
The setting is configurable on the Active Directory authentication page. Just to note that Duo SSO only supports expired password reset so a user won’t be able to initiate a reset early but will be prompted once their password has expired.
You can see the user experience here.
12-15-2021 03:11 PM
Awesome. According to those requirements I should be good to go. Will my users still be able to change their passwords via the Office 365 portal?
12-16-2021 05:30 AM
I believe that if you already have configured the Azure AD connector to handle password write backs that will still be an option but they’d need to be logged into Microsoft 365 already to see it.
I think users, in that case, might see two different scenarios:
12-16-2021 07:41 AM
That’s how I had imagined it working. I’ll know for sure when I complete our Duo deployment tonight. I appreciate all of your help Jamie!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide