Skip navigation
Documentation

Duo Two-Factor Authentication for Microsoft Entra ID External Authentication Methods (EAM)

Last Updated: December 13th, 2024

Contents

Duo integrates with Microsoft Entra ID as an external authentication method to add two-factor authentication to Entra ID logons, offering inline user enrollment, self-service device management, and support for a variety of authentication methods — such as passkeys and security keys, Duo Push, or Verified Duo Push — in the Universal Prompt.

About Microsoft EAM

Microsoft opened up the Azure Active Directory (now known as Entra ID) ecosystem in 2017 to allow third-parties, like Duo, to create custom controls for additional authentication. The Duo custom control for conditional access lets users log in with the simple and feature-rich Duo two-factor authentication prompt, but not without some platform limitations — most significant among them that additional authentication completed within a custom control does not satisfy conditional access policies that require multifactor authentication (MFA).

In 2020, Microsoft announced their intent to replace custom controls with a new method of integrating third-party authentication. As a trusted partner, Duo has been collaborating with Microsoft to deliver an authentication solution for their new Microsoft External Authentication Methods, or EAM framework, available as of May 2024.

Duo is among the first third-party providers delivering an integration on this new platform, and Duo via EAM is fully-recognized as a multifactor authentication method in Entra ID, satisfying MFA policy requirements. Once you define Duo as an EAM provider, you will be able to create Entra ID conditional access policies with MFA via Duo and assign them to specific users, groups, or applications.

Learn more about the EAM public preview on the Microsoft blog.

Microsoft External Authentication methods require an Entra ID P1 or P2 subscription. Verify your Microsoft subscription features before proceeding.

Known Limitations

  • Users who are able to bypass Duo MFA — because the user has "Bypass" status applied directly or via Duo group membership, or the user's effective policy for the Entra ID EAM application in Duo has the new user policy set to "Allow access without 2FA", the authentication policy set to "Bypass MFA", or the policy has an authorized networks configuration that does not require 2FA — may not use Duo as an external authentication method for Entra ID MFA. These users will receive an error in the Microsoft portal and be unable to complete authentication.

    The claim returned to Microsoft after Duo authentication includes information about the factor used to satisfy MFA requirements. When a user bypasses active Duo authentication the MFA factor requirement is not satisfied during this authentication. To avoid these failures, adjust your Duo policies or effective status of your users so they can satisfy the MFA requirement, or adjust your Entra ID conditional access policy so that it does not target users who are able to bypass Duo authentication.

    Bypassing Duo authentication via a valid remembered devices session is supported and returns a valid MFA method for external authentication.

  • Users must explicitly choose the Duo EAM option during authentication. If they have other MFA methods besides Duo configured, they may need to click Other options on the Microsoft "Verify your identity" prompt to be able to choose the Duo method. Microsoft plans to add system-preferred defaults for EAM in the future, which will prioritize the default method displayed during authentication.

  • The Duo external authentication method doesn't support external guest user logins.

  • The Duo external authentication method does not fully support cross-tenant users. Cross-tenant user authentication will only work if:

    • The external Microsoft Entra organization trusts MFA claims from the authenticating user’s home tenant.
    • The authenticating user has a valid MFA claim established via authentication to an application in their home tenant before accessing the cross-tenant application.
  • Entra ID external access methods are now available in Microsoft's Commercial and Government tenants. See Microsoft Entra feature availability in Azure Government.

    • The Duo "Microsoft Entra ID: External Authentication Methods" application is available in Duo Federal plans for use with Azure Commercial and GCC tenants.
    • While Azure Government High (GCC High) does support Entra ID external authentication methods, Duo Federal is not available within FedRAMP High. Therefore, GCC High customers may not use Duo EAM.

Prerequisites

Create the Duo Entra ID Application

Before starting these steps, you should either not be logged in to the Microsoft Entra admin center at all, or be logged in as the designated service account with the necessary role privileges for Duo you created as a prerequisite.

  1. Sign up for a Duo account if you do not already have one.

  2. Log in to the Duo Admin Panel and navigate to ApplicationsProtect an Application.

  3. Locate the entry for Microsoft Entra ID: External Authentication Methods in the applications list. See Protecting Applications for more information about protecting applications with Duo and additional application options.

  4. Before you can proceed, Duo needs read access to your Entra ID tenant. Click the Authorize button, which takes you to the Microsoft portal.

  5. Sign in with the designated Entra ID service administrator account. If required, complete Entra ID MFA for that service account admin user.

    Sign in to Entra ID

    Duo does not see or store your Entra ID administrator credentials.

  6. Once you've signed in to Entra ID, you must check the box next to Consent on behalf of your organization and then click Accept to grant the Cisco Duo External Authentication Method application the rights needed to access and read directory information from your Entra ID tenant.

    Grant Entra ID Permissions to the Duo Application
  7. Accepting the Duo Entra ID Authentication application's permissions request redirects you back to the Microsoft Entra ID: External Authentication Methods application page in the Duo Admin Panel.

  8. You can adjust additional settings for your new Microsoft Entra ID: External Authentication Methods application Duo application at this time — like changing the application's name from the default value, enabling self-service, or assigning a group policy — or come back and change the application's policies and settings after you finish Entra ID setup (note that the "Hostname Whitelisting" settings have no effect on this application). If you do update any settings, click the Save button when done.

  9. Keep the Duo Admin Panel open so you can copy Duo application information into the Entra ID admin center in the next steps.

Duo Universal Prompt

The Duo Universal Prompt provides a simplified and accessible Duo login experience for web-based applications, offering a redesigned visual interface with security and usability enhancements.

Universal Prompt Traditional Prompt
 Duo Push in Universal Prompt  Duo Push in Traditional Prompt

The Duo Microsoft Entra ID: External Authentication Methods application supports the Universal Prompt by default, so there's no additional action required on your part to start using the newest authentication experience.

Activate Universal Prompt

Activation of the Universal Prompt is a per-application change. Activating it for one application does not change the login experience for your other Duo applications. Universal Prompt is already activated for new Microsoft Entra ID: External Authentication Methods applications at creation.

The "Universal Prompt" area of the application details page shows that this application's status is "Activation complete", with these activation control options:

  • Show traditional prompt: Your users experience Duo's traditional prompt via redirect when logging in to this application.
  • Show new Universal Prompt: (Default) Your users experience the Universal Prompt via redirect when logging in to this application.

The application's Universal Prompt status shows "Activation complete" both here and on the Universal Prompt Update Progress report.

Universal Prompt Info - Universal Prompt Activation Complete

For the time being, you may change this setting to Show traditional prompt to use the legacy experience. Keep in mind that support for the traditional Duo prompt ended for the majority of applications in March 2024. This option will be removed in the future.

Universal Update Progress

Click the See Update Progress link to view the Universal Prompt Update Progress report. This report shows the update availability and migration progress for all your Duo applications. You can also activate the new prompt experience for multiple supported applications from the report page instead of visiting the individual details pages for each application.

Configure Entra ID

Create the Duo MFA External Authentication Method

  1. Log in to your Entra ID tenant in the Microsoft Entra admin center at https://entra.microsoft.com as a global administrator (if you aren't already logged in).

    If you try to perform these configuration steps from the Azure portal (https://portal.azure.com) the navigation is slightly different.

  2. In the Entra Admin Center, go to ProtectionAuthentication MethodsPolicies.

    If you logged into the Azure portal instead of the Entra Admin Center, first click Microsoft Entra ID then go to SecurityAuthentication MethodsPolicies.

  3. Click + Add External Method.

  4. Once on the "Add external method" page enter a descriptive Name for the Duo Method. We have provided the default name "Cisco Duo" but you may enter a different name. Your users see this name during Entra ID authentication as they choose which authentication method to use, so use a name that makes sense to users in your organization. You can't change the name after creation.

    Note that the name must be unique among all EAMs within your Entra ID tenant. If you need to create multiple EAMs (e.g. if you have multiple Duo tenants attached to a single Entra ID tenant), each one must have a unique name.

  5. Return to the Duo Admin Panel and copy the Client ID value from the Microsoft Entra ID: External Authentication Methods application's page. Switch back to the Entra ID admin center and paste it into the Client ID field on the "Add external method" page.

  6. Copy the Discovery Endpoint value from the Microsoft Entra ID: External Authentication Methods application's page in the Duo Admin Panel, and then paste it into the Discovery Endpoint field in Entra ID.

  7. Copy the App ID value from Duo for the application, and paste it into the Entra ID App ID field.

  8. If you want to enable the new Duo EAM method immediately, toggle Enable from Off to On.

  9. Before saving the new Duo external method, choose which users you want to use this new method. By default, it applies to all users, meaning that any Entra ID user in your tenant with an effective Conditional Policy set to "Require multifactor authentication" will see Duo as an authentication option as soon as you enable this new method.

    If you wish to target availability of the Duo external method to specific users, click + Add Target on the "Include" tab and choose Select Targets. On the "Add directory members" page you can select one or more of your Entra ID directory groups containing the users you want to use Duo authentication. Click Select to add your choices as targeted groups.

  10. After entering all required information click Save to create the new Duo external method.

    Add the Duo External Method

Note: If the "Request admin consent" information shows a Request permission button instead of saying "Admin consent granted", double-check to make sure you entered the correct App ID value from the Duo Admin Panel. If the App ID information is correct, click the Request permission button to authorize the grant the Cisco Duo External Authentication Method application, making sure to check the box next to Consent on behalf of your organization before clicking Accept.

Create and Apply a Duo Conditional Access Policy

  1. While still in the Microsoft Entra admin center click Conditional Access on the left and then click + Create New Policy.

    If you are in the Azure portal, go to SecurityConditional AccessPolicies.

  2. Enter a descriptive name for the new policy, for example "Duo MFA for Acme Users".

  3. Make your desired policy assignments. You can assign this new policy to selected users or Entra ID security groups, to specific Entra ID cloud apps, or to any of the other Entra ID conditions like client platform or network.

    1. As an example, click on Users under "Assignments", click Select users and groups on the "Include" tab, choose Users and groups, click 0 users and groups selected. and locate the users or Entra ID security groups you want to authenticate with Duo. Click on a user or security group to select it, then click the Select button on the "Select users and groups" page to apply your selection. If you targeted specific groups when creating your Duo external method then make sure to apply the new policy to those same groups.

      In this example the new Duo policy assignment includes the Entra ID group "Duo Acme EAM", so members of that group will see Duo as an available authentication method when logging in to Entra ID.

      Duo Entra ID CA Policy Group Assignment
    2. Next, click on Target resources. On the "Include" tab, click Select apps and choose the Entra ID applications where you want Duo authentication before access.

      In this example the Duo cloud apps assignment applies to "Office 365". Other Entra ID applications not specified by the policy assignment will not apply this conditional access policy at login and therefore will not offer the Duo MFA method.

      Duo Entra ID CA Policy Cloud App Assignment

      Note: We don't recommend assigning the Duo policy to all users (including tenant administrators) or to all cloud apps at first to avoid the risk of inadvertently blocking administrator access to the Entra ID portal. Verify that your Duo policy and EAM factor work properly before assigning the policy to your tenant administrators or to all cloud apps. You should create a fail-safe Entra ID tenant administrator account that is excluded from Duo MFA policies to ensure uninterrupted admin access. Apply a secure password and a different access condition, like one based on a trusted network, to secure this admin account.

    3. Make any additional policy assignments you wish, such as defining networks or conditions.

  4. Click Grant under "Access controls", and then click on Grant access and check the box for Require multifactor authentication. Click Select when done.

    Duo Entra ID CA Policy MFA Required to Grant Access
  5. The final step to creating the new Duo policy is to enable it. Click the On toggle switch underneath "Enable policy", and then click Create. Entra ID creates and enables the new MFA-required policy targeting your selected groups or users.

Limit Registration of Alternate Authentication Methods

You may want to prevent Entra ID from offering your users the option to set up the Microsoft Authenticator app for sign-in if you will want them to use Duo instead.

Be sure that your Entra and Azure administrators have at least one Microsoft built-in authentication method enabled and registered as a backup to ensure they always have emergency access to critical resources.

  1. In the Entra ID admin center go to ProtectionAuthentication methodsRegistration campaign.

  2. Click Edit and change the State to Disabled. Click Save. You could also leave the registration campaign on and exclude any groups of users to which you applied the Duo MFA conditional access policy instead.

  3. Go to ProtectionAuthentication methodsSettingsSystem preferred multifactor authentication.

  4. Click Edit and change the State to Disabled. Click Save.

  5. Go to ProtectionAuthentication methodsPolicies. Click Microsoft Authenticator.

  6. On the “Enable and Target” tab, click the Enable toggle to turn Microsoft Authenticator Off.

    If you want to have Microsoft Authenticator available as an option for emergency administrator access, leave it in the enabled state and instead use the "Include" or "Exclude" tabs to either target a group of administrator accounts who should have Authenticator as an option, or select groups of your users who should not be able to register Authenticator.

  7. Click Save.

Confirm Authentication Methods Policy Migration Status

  1. In the Entra ID admin center go to ProtectionAuthentication methodsPolicies.

  2. In the main window, click the Manage Migration link and review your current setting.

    Duo Entra ID Authentication Methods Migration Status
  • If "Manage migration" is set to "Pre-migration", then both the authentication methods policy and the legacy MFA policy apply when determining what methods are available to users during authentication.

  • If "Manage migration" is set to "Migration In Progress", then the authentication methods policy, legacy MFA policy, and the legacy SSPR policies apply when determining what methods are available to users during authentication.

In either case, if Microsoft Authenticator or other methods are available in any of the effective policies, that option will then be available to users during authentication.

To resolve this and effectively limit the options to only the Duo external authentication method, consider completing the migration to the Entra ID authentication methods policy. Please see Microsoft's documentation for more detailed information: How to migrate MFA and SSPR policy settings to the Authentication methods policy for Microsoft Entra ID. After completing the policy migration, you should see the user experience match the authentication methods policy.

If you are not ready to complete your migration, you can limit availability of Microsoft Authentication and other options by following the below instructions based on your current migration status.

If your migration status is set to "Pre-migration":

  1. In your Entra ID portal, navigate to UsersAll UsersPer-User MFA.

  2. On the "Per-user MFA" page, navigate to Service Settings.

  3. Under Verification Options, deselect any methods you do not wish users to have access to and save.

    Note: Until you complete the Authentication Methods migration, these changes will apply to all users tenant wide.

If your migration status is set to "Migration In Progress" then complete these additional steps:

  1. Navigate to UsersPassword resetAuthentication methods.

  2. Under Methods available to users, disable any methods you do not wish to be available to any users who have Entra ID SSPR (self-service password reset) enabled.

    To confirm which users can use SSPR, go to ProtectionPassword resetProperties and review the current "Self service password reset enable" options.

    Note: If your users who use EAM also use Microsoft Entra self-service password reset (SSPR), you cannot limit to only the Duo EAM authentication method at this time. Users requiring Entra ID SSPR functionality will need to have at least one of the Microsoft built-in methods that Entra SSPR supports enabled alongside the Duo EAM.

Test Your Setup

Log in to Entra ID as a user assigned the CA policy which requires MFA and who is a target of the newly-created Duo external method.

If you chose to apply the Duo Conditional Access policy to "All cloud apps", then when you log into the Office portal and submit your primary Entra ID credentials, you'll see your Duo external authentication method as an option for identity verification. The name shown here is the name you entered when you created the Duo external method in Entra ID.

Duo EAM MFA Method in Entra ID Login

Select the Duo MFA EAM method to begin Duo authentication. If you have multiple Entra ID authentication methods enabled you may need to click Other options to see the Duo authentication method.

Duo EAM MFA Redirecting to Duo

You'll be redirected to the Duo Prompt or Duo user enrollment. Completing Duo authentication returns you to Entra ID to complete your application login.

OIDC Duo Prompt

*Universal Prompt experience shown.

If you applied the conditional access policy requiring MFA to specific applications, then the initial Office portal login won't prompt for Duo MFA, but accessing the protected application from within the Office portal after logging in or accessing the protected application directly (bypassing the Office portal) will prompt for Duo MFA.

If you receive a "Looks like something went wrong" error message from Microsoft, it could be that the new EAM settings need a few more minutes to take effect. If the error persists, check the Duo Admin Panel to make sure that the test user isn't bypassing Duo authentication, as mentioned in the known limitations for the Duo external method.

Migration from the Duo Custom Control to Duo External Authentication Method

If you've already applied conditional access policies requiring the Duo custom control for Entra ID before granting application access, you can migrate your users to use Duo as an external authentication method without interrupting secured access to your applications. You can configure Duo EAM in parallel with the Duo CA custom control and switch users from one to the other by adjusting their effective conditional access policies.

An example migration could look like this:

  1. Survey your user groups to determine which ones contain your EAM pilot users.
  2. Create the Duo EAM external method, targeting your pilot group or groups.
  3. Create a new conditional access policy for multifactor via Duo EAM.
  4. Apply the Duo EAM conditional access policy to your pilot user groups.
  5. Remove the conditional access policy which requires the Duo custom control from your pilot user groups.
  6. Have your pilot users test Duo as an external authentication method.
  7. After receiving positive feedback from your initial pilot users, gradually expand testing to include more user groups by updating the Duo EAM method's target groups and the Duo EAM group policy assignments to add additional user groups, while also removing those additional groups from your Duo custom control CA policies.
  8. When you're ready to stop using the Duo custom control, change the Duo EAM target group to "All Users", apply CA policies requiring MFA to all your users, and remove all group and user assignments from your Duo custom control CA policies.
  9. Delete the Duo custom control from Entra ID.

If any Entra ID user is subject to conditional access policies that require use of the Duo custom control for conditional access, while also being subject to CA policies which require multifactor authentication after the Duo external method is added, and the user is in a group targeted by the Duo external method, then that user will have to perform Duo authentication twice — once using EAM and once via the custom control — to satisfy both CA policies before gaining access to applications.

Troubleshooting

Need some help? Take a look at our Microsoft Azure Active Directory or Entra ID Knowledge Base articles or Community discussions. For further assistance, contact Support.

Network Diagram

Duo Entra ID CA Authentication Network Diagram
  1. User accesses Microsoft Online or other services using Entra ID authentication.
  2. User submits primary Entra ID credentials.
  3. User selects the Duo EAM method, which redirects the client browser to Duo.
  4. User receives the Duo Prompt and submits factor selection.
  5. User receives Duo Push authentication request on device.
  6. Authentication approval returned to Duo service.
  7. Secondary authentication approval returned to client.
  8. Client sends Duo approval back to Entra ID.
  9. Entra ID grants application or service access once the MFA requirement and all other aspects of the user's effective conditional access policy is satisfied.