How Duo + Microsoft Zero Trust Integrations Work: SANS, Azure & BYOD
Duo's strategic partnership with Microsoft enables us to offer natively integrated, best-in-class security solutions that is both easy to use and simple to deploy, enabling a faster and more secure digital transformation for customers.
— Ganesh Umapathy, Product Marketing Manager for Duo
The Current Security Landscape
The shift to remote work has had IT security ramifications: not only are people using both their personal and corporate-managed devices to access business applications, they’re also logging onto systems from various locations, sharing devices with family members, and installing various software for personal use. While these changes are in some ways necessary to adapting to all that’s happened in the last year, they also provide opportunities for attackers.
This year has seen a rise of attacks targeting cloud services, with Microsoft Office 365 being the most commonly targeted service. So how can organizations better track what’s happening in their environments and protect their employees’ identities while securing access to their Microsoft applications from any device?
A Better Approach to Security: Zero Trust
Zero trust is an approach where trust is established for every access request, regardless of where the request is coming from, by requiring multiple factors to confirm before granting access. This method secures access across applications and networks, ensuring only the right users and devices have access. Taking a zero trust approach to security can extend trust by providing visibility and adding layers of protection which are easy for end users and support modern enterprises with BYOD (bring your own device), cloud apps, hybrid environments, and more.
Duo delivers zero trust for the workforce by verifying the identity of users and the health of their devices before connecting to the applications they need.
The Three Pillars of Duo’s Zero-Trust Approach:
1: Establish User Trust
Duo provides a set of tools for verifying a user’s identity through our strong multi-factor authentication (MFA) which asks for validation via something you know, something you have and something you are. According to Microsoft, using MFA prevents 99.9% of account hacks. By gathering information in the context of the user’s access request, such as location of access, time of access, network of accessand the device used to request the access, Duo can greenlight or block a user’s access.
Our MFA solution is one of the most easy-to-use and secure solutions out there, both for end users and administrators. Administrators can deploy our solution quickly and efficiently (rollouts can take merely a few days,) and end users have the option of self-enrollment, which empowers the user to enroll themselves without impacting productivity, therefore saving time.
Our MFA solution is also incredibly secure, supporting out-of-band methods such as Duo Push, and providing flexible authentication options such as SMS, OTPs, and soft tokens through our mobile application, as well as more advanced methods such as universal two-factor authentication using security keys such as Yubikey.
Duo can work with any application, whether it’s a cloud-based Saas application like O365, an on-prem environment, or a hybrid environment.
2: Establishing Device Trust
Because Duo is in the application access path, we can provide complete visibility into all devices accessing Duo-protected applications. Many organizations underestimate the number of devices accessing their networks, but Duo can help inventory previously undetected devices. For example, we had a customer’s IT team discover that there were twice as many devices connecting to their network than they had accounted for.
Duo can also perform posture (security risk) assessments on these devices by checking if the device is corporate-managed, if the operating system and browsers are up-to-date, whether Java plugins are installed, or if password encryption is turned on. And because we follow the zero-trust framework of “never trust, always verify,” these checks are performed every time access is requested, creating a tight ring of security around your organization’s network
3: Enforcing Adaptive Policies
Duo enables rich user and device context, as well as adaptive granular policy controls. For example, a typical policy of Duo customers might limit access to users in the US who are using a particular set of networks with a particular set of IP addresses from a managed device. In this way, Duo allows the organization to adhere to whatever compliance frameworks are required.
Duo’s policy engine is quite robust, enabling organizations to set policies at a global level for the entire organization, at each application level based on the sensitivity of the application, or at a user group level based on that group’s set of privileges. There are many levels of controls and policies for access that can be set at a granular level. This is truly one of the most important security features Duo offers.
Providing Duo’s Zero-Trust Security Framework to Microsoft Environments
Duo has a great partnership with Microsoft. Currently, we have over 10,000 joint customers, including Qualcomm, Expedia, 3M, and MIT, and over 5,000 of these customers use Duo to protect Azure Active Directory. And these customers are not just using Duo for our expertise in MFA, but for our expertise in security, including our device hygiene and policy engine.
Wherever you are in your journey to the cloud, whether your directory is in AD or Microsoft Entra ID, or you’re in the process of migrating from Outlook to Office 365, Duo can protect your applications securely and with the same ease of use.
How Duo Protects Microsoft Azure
Duo natively integrates with Microsoft Entra ID’s conditional access policies, as well as secures access to remote desktop, Exchange, and O365 deployments. In fact, with the move to remote work, Duo has seen RDP authications go up by over a million authentications a day. Duo also has the ability to protect offline access into Windows machines using OTP and U2F tokens.
How Duo Secures Managed Devices
In a basic use case, organizations want to set policies to allow access only to managed devices into certain applications. There are different ways to do this, but in today’s remote world, where the VPN load is being tested for many organizations, IT administrators are asking users to select VPN only if they are using it to log into network devices and accessing SaaS applications over the internet to manage the bandwidth.
In this situation, there’s no easy way to check whether the device is managed or not. However, Duo’s authentication workflow can intercept the access request, and thanks to our recent integration with Microsoft's Intune, allows you to check if the device is enrolled in your Intune management system. Alternatively, we can check to see if the device is a Windows AD domain-joined device.
How Duo Protects Unmanaged Devices
A second use case we’ve seen embraces bring your own device (BYOD). Typically these devices are outside of IT’s control, and it can be hard if not impossible for them to check if the device has a high enough level of hygiene to grant application access.
Luckily, Duo has several options, including an agentless option, which assesses device hygiene through browsers. We also have a lightweight client, the Duo Device Health application, which checks the device hygiene at the time of access, and only performs certain checks.
Duo's Device Health Checks Include:
Is the Windows OS updated?
Is the device encrypted?
Is it password protected?
Is Windows Defender running?
Is the firewall enabled?
In Summary
Duo protects Microsoft applications by verifying the trust of the user and the health of the device before granting access to the application, and we do this each time access is requested.
We do this with our consistent access policies, whether the applications are in the cloud or on-prem, online or offline. We do this through speed to security through our native integrations with Office 365, Microsoft Entra ID, and Intune and self-service workflows, which can be deployed in minutes. (Yes, minutes! In previous speed tests, one of our security engineers was able to set up a native integration in Microsoft Entra ID in less than five minutes.)
We balance security with user experience by reducing friction, boosting productivity, and allowing for customizable policy controls and self-remediation options to decrease helpdesk tickets. All of these things allow you to mitigate your risk due to BYOD, and Duo helps you do this by improving device visibility and risk assessment options without agents and without performing actions without the user’s permission.
For a more in-depth discussion on simplifying remote work and reducing risk with Microsoft and Duo, please take a look at this recent webinar (below), hosted by SANS Analyst Dave Shackleford, and Duo’s Leya Leydiker and Ganesh Umapathy.
Try Duo For Free
Sign-up for a free trial to experience the product and see how Duo can give you deep device visibility and get started with Device Trust.