Skip navigation
Documentation

Microsoft Azure Active Directory

Contents

Duo integrates with Microsoft Azure Active Directory conditional access policies to add two-factor authentication to Azure Active Directory logons, complete with inline self-service enrollment and Duo Prompt.

About Azure Conditional Access

Microsoft Azure Active Directory (AD) conditional access (CA) allows you to set policies that evaluate Azure Active Directory user access attempts to applications and grant access only when the access request satisfies specified requirements e.g. user group membership, geolocation of the access device, or successful multifactor authentication.

Duo's Microsoft Azure Active Directory application provides strong secondary authentication to Azure Active Directory logons. Additionally, Duo's granular access policies and controls complement and extend the access controls in Azure.

Conditional access with third-party MFA custom controls requires an Azure Active Directory Premium P1 subscription.

Please review Microsoft's Azure conditional access documentation before configuring Duo authentication in your Azure Active Directory tenant.

Note that Azure Active Directory conditional access protects cloud applications only when the user access originates from the following client applications:

Conditional access currently cannot enforce access controls in older Office clients that do not support modern authentication, such as Office 2010. Microsoft relies upon modern authentication workflows to invoke conditional access policies, which in turn apply Duo's MFA custom control. Microsoft is aware of this issue and is developing a feature to block access from legacy Office clients that cannot support modern authentication.

Create the Duo Azure CA Application

  1. Sign up for a Duo account.

  2. Log in to the Duo Admin Panel and navigate to Applications.

  3. Click Protect an Application and locate Microsoft Azure Active Directory in the applications list. Click Protect this Application. (See Getting Started for help.)

  4. Before you can proceed, Duo needs read access to your Azure Active Directory tenant. Click the Authorize button, which takes you to the Azure portal.

    Authorize the Duo Application in Azure

  5. Sign in with an Azure service administrator account (typically an onmicrosoft.com account) that is a global administrator for Azure Active Directory.

    Sign in to Azure

    Duo does not see or store your Azure Active Directory administrator credentials.

  6. Once you've signed in to Azure, you must click Accept to grant Duo the read rights needed to access and read from your Azure Active Directory tenant.

    Grant Azure Permissions to the Duo Application

  7. Accepting the Duo Azure Authentication application's permissions request redirects you back to the Microsoft Azure Active Directory application page in the Duo Admin Panel.

    Copy the Custom control JSON text in the "Details" section of the page. You'll need to provide this information to Azure to complete Duo authentication setup.

    Duo Azure CA Application JSON

  8. You can adjust additional settings for your new Azure Active Directory Duo application at this time — like changing the application's name from the default value, enabling self-service, or assigning a group policy — or come back and change the application's policies and settings after you finish Azure setup. If you do update any settings, click the Save Changes button when done.

Configure Azure

Create the Duo MFA Custom Control

  1. Log in to your Azure Active Directory tenant in the Microsoft Azure Portal as a global administrator.

  2. Go to Azure Active DirectoryConditional Access (listed under the "Security" section).

  3. Click Custom Controls on the left, and then click New Custom Control.

  4. Remove the example custom controls JSON text and paste in the "Custom control" JSON text you copied from the Duo Admin Panel's Microsoft Azure Active Directory application page earlier.

    Duo Azure CA Custom Control JSON Input

    Click the Create button after entering the Duo JSON text. Azure creates the new custom control "RequireDuoMFA".

    Duo Azure CA Custom Control Created

Create and Apply a Duo Conditional Access Policy

  1. While still in the Azure Active Directory Conditional Access configuration blade, click Policies on the left and then click New Policy.

  2. Enter a descriptive name for the new policy, like "Require Duo MFA".

  3. Make your desired policy assignments. You can assign this new policy to your selected users or groups, to specific Azure cloud apps, or to any of the other Azure conditions like client platform or network.

    As an example, click on Users and groups under "Assignments", click Select on the "Users and groups" blade, and locate the users or groups you want to authenticate with Duo. Click on a user or group to select it, then click the Select button on the "Select" blade, followed by clicking the Done button on the "Users and groups" blade.

    In this example the new Duo policy assignment includes the Azure Active Directory group "Duo Users", so members of that group will require Duo two-factor when logging in to Azure Active Directory.

    Duo Azure CA Policy Group Assignment

    Next, click on Cloud apps. On the "Include" tab, click Select and choose the Azure Active Directory applications where you want Duo authentication before access. In this example the Duo cloud apps assignment applies to "Office 365 Exchange Online" and "Office 365 Sharepoint Online". Click Done to save the cloud apps assignment and close that blade.

    Duo Azure CA Policy Cloud App Assignment

    Note: We don't recommend assigning the Duo policy to all users (including tenant administrators) or to all cloud apps at first to avoid the risk of inadvertently blocking administrator access to the Azure Active Directory portal. Verify that your Duo policy and custom control work properly first before assigning the policy to your tenant administrators. You may want to create a fail-safe Azure tenant administrator account that is excluded from Duo MFA policies. Apply a secure password and a different access condition, like one based on a trusted network, to secure this admin account.

    Additionally, the Duo custom control doesn't support external guest Azure logins. Do not apply a conditional access policy requiring Duo MFA to these accounts.

  4. Click Grant under "Access controls". To allow users access with Duo authentication, click on Grant access and check the box next to the RequireDuoMFA custom control you created in the previous steps. While you may choose to combine or require satisfying multiple controls before granting user access, this example simply adds the Duo authentication requirement to the new policy. Click Select when done.

    Duo Azure CA Policy Grant Access with Duo

  5. The final step to creating the new Duo policy is to enable it. Click the On toggle switch underneath "Enable policy", and then click Create. Azure creates and enables the new "Require Duo MFA" policy.

    Duo Azure CA Policy Created and Enabled

    Close the "Conditional access" blade when done.

Test Your Setup

Log in to Azure Active Directory (or, per the example cloud app assignment, Exchange Online) as a user assigned the Duo MFA policy. After submitting the primary Azure credentials, you'll see the Duo Prompt or Duo user enrollment. Complete authentication approval with Duo to log in.

Duo Azure CA Authentication

Troubleshooting

Need some help? Take a look at our Microsoft Azure Active Directory Knowledge Base articles or Community discussions. For further assistance, contact Support.

Network Diagram

Duo Azure CA Authentication Network Diagram

  1. User accesses Microsoft Online or other services using Azure authentication.
  2. User submits primary Azure credentials.
  3. An Azure conditional access policy redirects the client browser to Duo.
  4. User received the Duo Prompt and submits factor selection.
  5. User receives Duo Push authentication request on device.
  6. Authentication approval returned to Duo service.
  7. Secondary authentication approval returned to client.
  8. Client sends Duo approval back to Azure.
  9. Azure grants application or service access once the Duo conditional access policy is satisfied.

Ready to Get Started?

Sign Up Free