01-28-2025 01:45 PM
We have Azure VMs that we're now joining to Azure AD so we don't have to manage local user accounts. We use Duo throughout the environment. We discovered the web login option with the RDP client which kicks in Azure MFA when RDPing to the VM, and this method is a lot easy to handle than making sure client systems are also Azure AD joined for the "Azure Windows VM Signin" option; however it only works if we uninstall Duo.
I've tried bypassing Duo for a number of credential providers hoping that would work, but can't find the right one. Every time we connect we get one of two results.
1) If a local user is logged in, we'll get the "unlock" screen for that user with no option to log in as a different user or,
2) If nobody is logged in, we simply get a blank login screen with no login controls and it will just sit there until it times out.
Is there a Credential Provider we can bypass for the AzureAD "web" logins? Or a way for Duo to prompt for Azure AD users. I'd rather have two MFA prompts (pre-connect with Azure and at login with Duo) than not protect the local user accounts.
01-29-2025 06:41 AM
Do you mean this option?
I am pretty sure we don't support and have not tested this type of sign-in with Duo Authentication for Windows.
What kind of sign-in experience do you get with this option (without Duo)? Does it show an interactive browser UI where you enter your Entra ID creds in the microsoftonline dialog, and then get to select an Entra ID MFA option?
If so, maybe Duo for Microsoft EAM could be a solution (Duo MFA as an external authentication method for Entra ID accounts). https://duo.com/docs/microsoft-eam
I also invite you to contact your Cisco/Duo account team or your Duo Care team to submit a feature request for Duo for Windows Logon support of Azure Virtual Desktop (AVD) and web account sign-in. If you don't have those account contacts, you can submit via Duo Support.
01-29-2025 06:48 AM
Yes, that option. Without Duo, the RDP client either uses an existing Azure token or prompts for Azure login with an MFA prompt before allowing the RDP connection to the server. Once authenticated, the RDP session is established. I was able to determine the GUID of the credential provider used during this type of sign-in and added it to Duo's bypass list in the registry, but it seems it still hung up on the login when it was installed.
01-29-2025 10:37 AM - edited 01-29-2025 10:37 AM
If you want to open a case with Duo Support for further investigation please enable debug logging and reproduce the issue from Duo for Windows Logon, then use the support script to generate a bundle of artifacts we'd need to look further.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide