Skip navigation
Product & Engineering

Now Available: Microsoft 365 Application for Duo Single Sign-On

When I open my laptop for the first time in the morning, one of the first things I check is my email. As a Duo team member, and as part of the greater Cisco organization, I am one of more than 258 million monthly active subscribers of Microsoft 365. Because this service is integral to the working lives of our customers and ourselves, we wanted to ensure that you can easily yet securely access your emails, documents, and presentations from any device and any location.

That’s why we’re happy to share that Duo now offers a Microsoft 365 application for Duo Single Sign-On (Duo SSO), allowing you to federate your Microsoft 365 domains with Duo SSO. 

Where We Started: Duo Access Gateway, 2015

In 2015 we introduced the Duo Access Gateway (DAG), which used SAML 2.0 to authenticate users into Office 365 (now Microsoft 365). Next, we added support for legacy authentication protocols (Basic Authentication).

Since its inception, nearly half of all customers using the DAG consistently leverage it for at least Microsoft 365 — both for Modern and Basic Authentication. Many customers even use the DAG exclusively to protect Microsoft 365!

For these customers, the many pain points of maintaining an on-premises SSO offering — configuring servers, managing certificates, configuring high-availability, making sure everything is kept up-to-date — increasingly consume more time and resources that could be used to solve and improve other IT issues. That’s a lot of overhead for a single, albeit business-critical, application.

Building a Better Solution

Because the metrics we observed with the DAG are not trivial by any means, and we’d begun work on our hosted Duo Single Sign-On (SSO) offering, we knew that we had to deliver the best experience possible for Microsoft 365, for administrators as well as users. 

Keeping that in mind, we worked hand-in-hand with Microsoft to design, build, and validate according to their best practices by using WS-Federation, WS-Trust and WS-MetadataExchange, instead of SAML 2.0.

This allows us to fully support a wider range of modern and legacy authentication workflows, improving the end user experience, and aligning with Microsoft’s current and future product plans. These include, but are not limited to:

  • Web browser logins
  • Microsoft Office application logins
  • Azure AD Management Tools
  • Legacy email client logins
  • Azure AD and Hybrid Domain Joins
  • Windows Autopilot

When using WS-Trust for legacy workflows, we also give the option to limit access based on IP address, user agents and/or groups. We want to help customers move toward more modern authentication workflows, but we also recognize this isn’t always an overnight shift. These controls allow organizations to incrementally scale back on legacy usage. 

We’ve also made it easier than ever to get Microsoft 365 working with Duo by providing a prebuilt configuration script after entering some information about your tenant into the Duo Admin Panel. Long gone are the days of typos that have plagued our customers, and often technical support teams!

What’s Next with Microsoft and Duo?

Our partnership with Microsoft is stronger than ever, and we’re incredibly proud and excited to provide our joint customers with one more place to take advantage of Duo SSO. In addition to providing more options today, it also prepares our customers for the release of our upcoming Passwordless authentication solution!


Duo SSO is just getting started. Want to follow along? Subscribe to our release notes.

To learn more about Duo SSO and Duo Central as a whole, view our official documentation.


Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.