Duo integrates with Microsoft Azure Active Directory Conditional Access policies to add two-factor authentication to Azure Active Directory logons, complete with inline self-service enrollment and Duo Prompt.
Microsoft Azure Active Directory (AD) Conditional Access (CA) allows you to set policies that evaluate Azure Active Directory user access attempts to applications and grant access only when the access request satisfies specified requirements e.g. user group membership, geolocation of the access device, or successful multifactor authentication.
Duo's Microsoft Azure Active Directory application provides strong secondary authentication to Azure Active Directory logons. Additionally, Duo's granular access policies and controls complement and extend the access controls in Azure.
Please review Microsoft's Azure Conditional Access documentation before configuring Duo authentication in your Azure Active Directory tenant.
Azure Government does not yet provide support for custom controls in Conditional Access. Be sure to review Azure Government's additional variations in Azure Active Directory Premium features.
Note that Azure Active Directory Conditional Access protects cloud applications only when the user access originates from the following client applications:
Conditional Access cannot add third-party MFA for Office clients that do not support modern authentication, such as Office 2010. Microsoft relies upon modern authentication workflows to invoke Conditional Access policies, which in turn apply Duo's MFA custom control. You can use Conditional Access to block authentication from legacy Office clients that cannot support modern authentication. Please refer to How to: Block legacy authentication to Azure AD with Conditional Access to learn how to control access from these client applications.
Before starting these steps, you should either not be logged in to the Microsoft Azure administration portal at all, or be logged in as the designated service account for Duo you created as a prerequisite.
Log in to the Duo Admin Panel and navigate to Applications.
Click Protect an Application and locate the entry for Microsoft Azure Active Directory in the applications list. Click Protect to the far-right to configure the application and get your integration key, secret key, and API hostname. You'll need this information to complete your setup. See Protecting Applications for more information about protecting applications in Duo and additional application options.
Before you can proceed, Duo needs read access to your Azure Active Directory tenant. Click the Authorize button, which takes you to the Azure portal.
Sign in with the designated Azure service administrator account that has the global administrator role for this Azure Active Directory. If required, complete Azure MFA for that service account admin user.
Duo does not see or store your Azure Active Directory administrator credentials.
Once you've signed in to Azure, you must click Accept to grant Duo the read rights needed to access and read from your Azure Active Directory tenant.
Accepting the Duo Azure Authentication application's permissions request redirects you back to the Microsoft Azure Active Directory application page in the Duo Admin Panel.
Note the Custom control JSON text in the "Details" section of the page. You'll need to provide this information to Azure to complete Duo authentication setup.
You can adjust additional settings for your new Azure Active Directory Duo application at this time — like changing the application's name from the default value, enabling self-service, or assigning a group policy — or come back and change the application's policies and settings after you finish Azure setup (note that the "Hostname Whitelisting" settings have no effect on this application). If you do update any settings, click the Save Changes button when done.
Keep the Duo Admin Panel open so you can copy the custom control JSON text into the Azure portal in the next steps.
Duo's next-generation authentication experience, the Universal Prompt, is coming to web-based applications that display the current Duo Prompt in browsers.
Migration to Universal Prompt for your Azure CA application is a two-step process:
We've already updated the Duo Azure CA application to support the Universal Prompt when it's ready, so there's no action required on your part to update. The "Universal Prompt" section of this application's details page in the Admin Panel reflects this status today as "New Prompt Ready".
When the Universal Prompt becomes available, you'll return here to activate it for users of this application. You'll see the control here for turning it on or off. Until then, your users continue to experience the current Duo prompt.
Click the See Update Progress link to view the Universal Prompt Update Progress report. This report shows the update availability and migration progress for all your Duo applications in-scope for Universal Prompt support.
Read the Universal Prompt Update Guide for more information about the update process to support the new prompt, and watch the Duo Blog for future updates about the Duo Universal Prompt.
If you're interested in participating in a private preview of the Universal Prompt experience, please apply using this form.
Log in to your Azure Active Directory tenant in the Microsoft Azure Portal as a global administrator (if you aren't already logged in).
Go to Azure Active Directory → Security → Conditional Access.
Click Custom Controls on the left, and then click New Custom Control.
Remove the example custom controls JSON text and paste in the "Custom control" JSON text you copied from the Duo Admin Panel's Microsoft Azure Active Directory application page earlier.
Click the Create button after entering the Duo JSON text. Azure creates the new custom control "RequireDuoMFA".
While still in the Azure Active Directory Conditional Access configuration blade, click Policies on the left and then click New Policy.
Enter a descriptive name for the new policy, like "Require Duo MFA".
Make your desired policy assignments. You can assign this new policy to selected users or Azure security groups, to specific Azure cloud apps, or to any of the other Azure conditions like client platform or network.
As an example, click on Users and groups under "Assignments", click Select on the "Users and groups" blade, and locate the users or Azure security groups you want to authenticate with Duo. Click on a user or security group to select it, then click the Select button on the "Select" blade, followed by clicking the Done button on the "Users and groups" blade.
In this example the new Duo policy assignment includes the Azure Active Directory group "Duo Users", so members of that group will require Duo two-factor when logging in to Azure Active Directory.
Next, click on Cloud apps. On the "Include" tab, click Select and choose the Azure Active Directory applications where you want Duo authentication before access. In this example the Duo cloud apps assignment applies to "Office 365 Exchange Online" and "Office 365 Sharepoint Online". This means that the policy (and the Duo custom control in it) gets applied when the users assigned that policy access the Exchange and SharePoint applications only. Other Azure and Office applications not specified by the policy assignment, including the Office 365 portal itself, will not exercise the Conditional Access control at login and therefore will not require Duo MFA. If you want your users logging into the Office 365 portal using Duo MFA, then select the All cloud apps option.
Click Done to save the cloud apps assignment and close that blade.
Note: We don't recommend assigning the Duo policy to all users (including tenant administrators) or to all cloud apps at first to avoid the risk of inadvertently blocking administrator access to the Azure Active Directory portal. Verify that your Duo policy and custom control work properly before assigning the policy to your tenant administrators or to all cloud apps. You should create a fail-safe Azure tenant administrator account that is excluded from Duo MFA policies to ensure uninterrupted admin access. Apply a secure password and a different access condition, like one based on a trusted network, to secure this admin account.
Additionally, the Duo custom control doesn't support external guest Azure logins. Do not apply a Conditional Access policy requiring Duo MFA to these accounts.
Click Grant under "Access controls". To allow users access with Duo authentication, click on Grant access and check the box next to the RequireDuoMFA custom control you created in the previous steps. While you may choose to combine or require satisfying multiple controls before granting user access, this example simply adds the Duo authentication requirement to the new policy. Click Select when done.
The final step to creating the new Duo policy is to enable it. Click the On toggle switch underneath "Enable policy", and then click Create. Azure creates and enables the new "Require Duo MFA" policy.
Close the "Conditional Access" blade when done.
Log in to Azure Active Directory (or, per the example cloud app assignment, Exchange Online) as a user assigned the Duo MFA policy.
If you chose to apply the Duo Conditional Access policy to "All cloud apps", then when you log into the Office portal then after submitting the primary Azure credentials, you'll see the Duo Prompt or Duo user enrollment. Complete authentication approval with Duo to log in.
If you applied the Duo Conditional Access policy to specific applications, then the initial Office portal login won't prompt for Duo MFA, but accessing the protected application from within the Office portal after logging in or accessing the protected application directly (bypassing the Office portal) will prompt for Duo MFA.
Each Azure CA custom control is a single application in Duo, even though you may opt to apply that single control to multiple Azure or Office applications. If you enable Remembered Devices on the Microsoft Azure Active Directory Duo application, then if a user signs into one application that has that control applied and chooses to remember that device when performing Duo authentication, then other Azure and Office applications with that same Duo control applied won't require the user to perform Duo MFA again.
If you want the Azure and Office applications you protect with Duo to have distinct Remembered Devices settings, or any other combination of Duo settings, you can create multiple Duo custom controls with different settings.
You may wish to create multiple Duo Conditional Access policies with unique Duo policy settings to apply to different Azure applications or users. The process of creating additional Duo custom controls in Azure is slightly different than creating the first one. You'll need to edit the custom control JSON text provided by Duo with some unique values before saving the new control.
Locate the following attributes in the "Controls" section of the Duo JSON text and give them unique values:
Id: |
Append text to RequireDuoMfa , for example RequireDuoMfa-ALT . |
Name: |
Append text to RequireDuoMfa , for example RequireDuoMfa-ALT . |
Locate the second Name:
attribute after the "DiscoveryURL" attribute. Append text to Duo Security
, for example Duo Security-2
.
Full example of Duo JSON updated with the unique values highlighted:
{
"AppId": "XXXXX",
"ClientId": "XXXXX",
"Controls": [
{
"ClaimsRequested": [
{
"Type": "DuoMfa",
"Value": "MfaDone",
"Values": null
}
],
"Id": "RequireDuoMfa-ALT",
"Name": "RequireDuoMfa-ALT"
}
],
"DiscoveryUrl": "https://us.azureauth.duosecurity.com/.well-known/openid-configuration"",
"Name": "Duo Security-2"
}
Click Create to create the additional Duo custom control.
Apply the additional Duo control to users or applications via Azure Conditional Access.
You can repeat this process as many times as you wish to create multiple Duo controls for use with Conditional Access policies.
Need some help? Take a look at our Microsoft Azure Active Directory Knowledge Base articles or Community discussions. For further assistance, contact Support.