Duo supports multiple solutions for adding two-factor authentication to Microsoft's online services like Microsoft 365, Office 365, and Azure Active Directory. Learn more about these configurations and choose the best option for your organization.
Microsoft customers with subscription plans that include Azure AD Premium P1 or P2 can secure Microsoft 365 and Azure logons with the Duo custom control for Azure Active Directory. Conditional access policies featuring the Duo control can be applied to Azure users, groups, applications, login contexts, and many other categories.
This solution does not require any Duo software deployed on-premises. After your end users complete primary authentication in Azure they will be redirected to Duo's cloud service to complete two-factor authentication, and subsequently redirected back to Microsoft's service.
Duo Single Sign-on is a cloud-hosted Security Assertion Markup Language (SAML) 2.0 SSO solution that adds two-factor authentication to Microsoft 365 and Azure logins. Duo Single Sign-On acts as an identity provider (IdP), authenticating your users using existing on-premises Active Directory (AD) credentials and prompting for two-factor authentication before permitting access to Microsoft 365.
This solution requires deployment of the Duo Authentication Proxy on your internal network to verify primary logon credentials against Active Directory. Your end users will sign in and perform two-factor authentication at Duo's cloud-hosted SSO service, and do not contact the on-premises Authentication Proxy servers directly.
Duo Access Gateway (DAG), our on-premises SSO product, layers Duo's strong authentication and flexible policy engine on top of Microsoft 365 logins using the Security Assertion Markup Language (SAML) 2.0 authentication standard. Duo Access Gateway acts as an identity provider (IdP), authenticating your users using existing on-premises Active Directory (AD) credentials and prompting for two-factor authentication before permitting access to Microsoft 365.
This solution requires deployment of a web server with Duo Access Gateway in your DMZ. Your end users will sign in and perform two-factor authentication at the Duo Access Gateway server when signing in to Microsoft online services and applications.
Customers who have already federated Azure Active Directory with on on-premises Microsoft Active Directory Federations Services (AD FS) deployment for SSO can install Duo's multifactor authentication (MFA) adapter for AD FS. This lets you add Duo as a required MFA method for users signing in to AD FS, where they will complete Duo two-factor authentication after primary username and password verification at AD FS.
This solution requires installation of the Duo MFA adapter on each AD FS server, whether they are standalone or in a farm deployment.
Duo has partnered with leading identity providers to offer two-factor authentication in those services. Learn more about using Duo with these third-party IdPs:
Microsoft’s Government Cloud does not support custom controls for conditional access in Azure Government’s Active Directory service. In addition, Duo Federal plans do not yet include Duo Single Sign-On. Federal customers should consider deploying Duo Access Gateway, Microsoft AD FS, or another on-premises SSO solution to protect Azure Government/GCC tenants with Duo two-factor authentication.