We have an application setup for our Microsoft Entra ID (External Authentication Methods)
It appears that all regular users get pointed to the universal prompt for DUO when signing in.
The administrators in Entra get a microsoft landing page that looks like DUO.
The prompt comes from login.microsoftonline.com instead of api-xxxxxx.duosecrity.com.
I also notice when an admin logs into Entra ID or an application that SSO is pointed to Entra, there is not a log of that in DUO.
If I go to my user in the log, I see VPN application and nothing from the Entra ID application.
Almost as if it's not hitting DUO at all.
I am assuming this is from the new MFA requirements that microsoft put out for administrators.
I am thinking my set up may be wrong somewhere?
Additional note: we only have 50% of our users enrolled in DUO, so the Conditional Access policy is based on a group "EnrolledDUO", so not sure if it's a setting I missed with setting exemptions?
Anyone have insight? DUO Support said its on the microsoft side and cant really help with that.
I also reviewed these articles and didn't see anything that I missed.
https://help.duo.com/s/article/8915?language=en_US
https://duo.com/docs/microsoft-eam
https://duo.com/docs/azure-ca
Thank you both for replying.
I have checked the per user authentication and it is disabled.
I also checked under "Authentication Methods" for devices registered, and there were none.
Additionally, I got to a point where I could click "login in other ways" on the Microsoft page. This allowed to me to login to DUO.
Under that I see the link to https://aka.ms/mfasetup. I removed two tokens that were stored in there. After I removed those, I no longer go to the first prompt where it asks me for "login in other ways"
However, It still doesn't go straight to DUO either.
Once I click to approve it with Cisco DUO, it brings me to the typical DUO universal prompt and the URL changes.
Any more ideas?
It it is working and connecting, just adding an extra step.
