Skip navigation

Duo for Outlook Web App (OWA) on Exchange 2013 and Later

Last Updated: May 18th, 2022

Duo adds two-factor authentication to Outlook Web App (OWA) logins, complete with inline self-service enrollment and Duo Prompt.

Walkthrough Video



Check your server versions before starting. These instructions are for Exchange Server 2013 and 2016, running on Windows Server 2012 or newer, and Exchange Server 2019, running on Server 2019. It also requires .NET Framework 4.5 or later and ASP.NET 4.5 or later.

Duo's two-factor solution for OWA 2010 reached its [last day of support](/docs/eos-eol-policy) on February 15, 2021. Microsoft Exchange 2010 reached the end of support on October 13, 2020. Do not attempt to install Duo's OWA application for Exchange 2013 and later on an Exchange 2010 server. Plan your migration to a supported Exchange version.

Connectivity Requirements

This application communicates with Duo's service on TCP port 443. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review this Duo KB article.

  1. Make sure you have installed .NET Framework 4.5. You can do this, for example, by running the following PowerShell commands:

    Import-Module ServerManager
    Add-WindowsFeature NET-Framework-45-Core
  2. Also make sure you have installed ASP.NET 4.5 support for IIS and HTTP Activation. The PowerShell commands for this are:

    Import-Module ServerManager
    Add-WindowsFeature NET-Framework-45-ASPNET
    Add-WindowsFeature NET-WCF-HTTP-Activation45
  3. Ensure that the IIS Management Scripts and Tools feature is turned on as well. PowerShell example:

    Import-Module ServerManager
    Add-WindowsFeature Web-Scripting-Tools

TLS Requirements for Australia Region

Due to government restrictions, Duo’s services in Australia no longer support TLS versions prior to 1.2. The current version of the Duo for Outlook Web Access installer performs connectivity checks with Duo that use TLS 1.0.

Customers in Australia must perform a silent installation to install this product.

Please refer to the Duo Knowledge Base article Can I silently install Duo for OWA from a command line or PowerShell? for silent installation instructions.

In addition, the Exchange servers where you install Duo must also support and use TLS 1.2 or higher. See the Guide to updating to TLS version 1.2 for Windows-based Duo applications for more information.

A future release of Duo for OWA will include TLS 1.2 support in the installer.

First Steps

Before moving on to the deployment steps, it's a good idea to familiarize yourself with Duo administration concepts and features like options for applications, available methods for enrolling Duo users, and Duo policy settings and how to apply them. See all Duo Administrator documentation.

  1. Sign up for a Duo account.
  2. Log in to the Duo Admin Panel and navigate to Applications.
  3. Click Protect an Application and locate the entry for Microsoft OWA in the applications list. Click Protect to the far-right to configure the application and get your integration key, secret key, and API hostname. You'll need this information to complete your setup. See Protecting Applications for more information about protecting applications in Duo and additional application options.
  4. Download the Duo OWA Installer Package for Exchange 2013+. View checksums for Duo downloads here.

Treat your secret key like a password

The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

Duo Universal Prompt

The new Universal Prompt provides a simplified and accessible Duo login experience for web-based applications, offering a redesigned visual interface with security and usability enhancements.

Universal Prompt Traditional Prompt
 Duo Push in Universal Prompt  Duo Push in Traditional Prompt

Read the Universal Prompt Update Guide for more information about the update process and the new login experience for users.

Migration to Universal Prompt for your Microsoft OWA application is a two-step process:

  • Install an update provided by Duo for the OWA application to support the Universal Prompt.
  • Activate the Universal Prompt experience for users of that Duo Microsoft OWA application.

You'll need to install an update from Duo for Microsoft OWA to support the Universal Prompt, but the update isn't available yet. The "Universal Prompt" section reflects this status as "Waiting on Duo" with the activation options inaccessible. Please contact Duo Support to request Universal Prompt support for Microsoft OWA.

Universal Prompt Info - Duo Application Update Not Yet Available

In the meantime, you can use Duo with Microsoft OWA and the traditional prompt experience.

After Duo makes the necessary software update available and you've installed it, you'll return to the settings on this page to activate the Universal Prompt for your Microsoft OWA users.

Universal Update Progress

Click the See Update Progress link to view the Universal Prompt Update Progress report. This report shows the update availability and migration progress for all your Duo applications in-scope for Universal Prompt support. You can also activate the new prompt experience for multiple supported applications from the report page instead of visiting the individual details pages for each application.

Read the Universal Prompt Update Guide for more information about the update process to support the new prompt, and watch the Duo Blog for future updates about the Duo Universal Prompt.

Deployment Tip

Try setting your application's New User Policy to "Allow Access" while testing. Users that Duo knows about will be prompted to authenticate with Duo, while all other users will be transparently let through.

Users that have a phone (or hardware token) associated with them will see the authentication prompt. All other users will be able to add their phone through Duo's self-service enrollment (see Test Your Setup).

Then (when you're ready) change the "New user policy" to "Require Enrollment." This will prompt all users to authenticate (or enroll) after they type in their usernames and passwords.

Run the Installer

Install Duo on the Microsoft Exchange Server instances running the Exchange 2010/2013 Client Access Server role or the Exchange 2016/2019 Client Access services. The installation process varies slightly depending on how many Client Access servers you have. The Duo installer stops and then restarts IIS services on your Exchange servers automatically.

  1. Launch the Duo Security installer MSI from an elevated command prompt (right-click "Command Prompt" and select the "Run as Administrator" option). Accept the license agreement and continue.

  2. Enter your integration key, secret key, and API hostname when prompted.

    Enter Duo Information

    If you leave the "Bypass Duo authentication when offline" box in the Duo installer checked, then your users will be able to logon without completing two-factor authentication if the Duo Security cloud service is unreachable. If that box is unchecked then all OWA login attempts will be denied if there is a problem contacting the Duo service.

    Duo for OWA sends a user's Windows sAMAccountName to Duo's service by default. To send the userPrincipalName to Duo instead, check the Send username to Duo in UPN format box. For this to work, OWA and ECP must be using Forms-Based Authentication (FBA). Learn how to enable FBA for Exchange at Microsoft TechNet.

    If you enable the UPN username format option, you must also change the properties of your OWA application in the Duo Admin Panel to change the "Username normalization" setting to None. Otherwise, Duo drops the domain suffix from the username sent from OWA to our service, which may cause user mismatches or duplicate enrollment.

  3. If you only have one Exchange Server running the Client Access Server role, select the option to automatically generate a new key. However, if you have multiple Client Access Server servers then you should manually generate a random string at least 40 characters long, and use the same string as the session key during installation on each of the servers.

    Create Session Key

    For example, you could use the following PowerShell commands to generate a suitable session key:

    $bytes = new-object "System.Byte[]" 30
    (new-object System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes($bytes)
  4. Complete the Duo installation. The installer stops and then restarts IIS services automatically.

Test Your Setup

To test your setup, log into OWA. Duo's enrollment or login prompt should appear after you enter your username and password:

Duo Prompt

Configure Allowed Hostnames

If you plan to permit use of WebAuthn authentication methods (security keys, U2F tokens, or Touch ID) in the traditional Duo Prompt, Duo recommends configuring allowed hostnames for this application and any others that show the inline Duo Prompt before onboarding your end-users.

The Duo Universal Prompt has built-in protection from unauthorized domains so this setting does not apply.


Need some help? Take a look at the OWA Frequently Asked Questions (FAQ) page or try searching our OWA Knowledge Base articles or Community discussions. For further assistance, contact Support.

Advanced Configuration

If your organization offloads SSL requests to OWA via a load balancer, please see the FAQ for additional Duo configuration instructions.

Update Duo for OWA

You can upgrade your Duo installation over the existing version; there's no need to uninstall first.

  1. Download the most recent Duo OWA Installer Package for Exchange 2013+ and run the MSI from an elevated command prompt. View checksums for Duo downloads here.

  2. Follow the on-screen prompts to complete the upgrade installation. Note that the installer restarts IIS services.

  3. Repeat the upgrade on all your Exchange client access servers.

Network Diagram

  1. OWA connection initiated
  2. Primary authentication
  3. Exchange Client Access connection established to Duo Security over TCP port 443
  4. Secondary authentication via Duo Security’s service
  5. Exchange Client Access receives authentication response
  6. OWA session logged in