Duo for Outlook Web App (OWA) - Release Notes

Product Downloads

Download the current release from the Checksums and Downloads page.

Version 2.2.0 - June 5, 2025

• Adds support for new Duo certificate authorities.
• Adds the new Duo Secret Key Rotation tool in the OWA installation directory to assist administrators with updating the application's Client_Secret to a new value when required.
• The Client_Secret is encrypted in the Windows registry. Previously, the Client_Secret was saved as clear text in the registry.
• Supports Windows Server 2025.

Version 2.1.0 - May 9, 2024

• Duo MFA parameters now correctly removed from the OWA URL after Duo authentication.
• Corrects an issue affecting redirection to shared mailboxes after Duo MFA.

Version 2.0.0 - May 4, 2023

• Duo Universal Prompt support with OIDC standards-based redirects. The Duo Prompt no longer loads in an iframe. Learn more about the move to frameless authentication in preparation for Duo Universal Prompt.
• The installer now defaults to "fail closed" for new installations and upgrades from v1.x to v2.0.0. Upgrades from v2.0.0 to future releases will preserve the installed fail mode selection.
• TLS 1.2 is now the minimum supported version. Drops support for TLS 1.1, 1.0, and SSLv3.
• Now supports WinHTTP proxy server configurations that use a bypass-list.
• Corrects an issue where ECP logout did not expire the Duo session cookie created after MFA success at login.
• Changes the Duo OWA registry key location to HKLM\Software\Duo Security\DuoOwa and the registry values IKey and SKey to Client_Id and Client_Secret.

Version 1.3.3 - October 2019

• Released for Exchange 2013+ only; no Exchange 2010 release (Duo's support for Exchange 2010 ends on February 15, 2021).
• Fixed security issue with session cookie expiration affecting Exchange 2013 and newer.
• Updated jQuery version to 1.6.3.
• Support for Windows Server 2008 R2 ends in January 2020. Future releases may not function on unsupported operating systems.

Version 1.3.2 - April 2018

• Support for UPN usernames.
• Internal permit bypass for Exchange 2013 and 2016 built-in health mailboxes.
• Separate installers and instructions for Exchange 2010 and Exchange 2013 and later.
• Exchange 2013 and later installations now require .NET Framework 4.5 and ASP.NET 4.5.
• TLS 1.1 and 1.2 support for Exchange 2013 and later.

Version 1.2.1 - October 2017

• Duo Web SDK 2.6.

Version 1.2.0 - April 2016

• Adaptive sizing for Duo authentication prompt.
• Supports SSL offloading.
• Supports OWA on Exchange 2016.

Version 1.1.9 - November 2014

• Fail mode refinements.

Version 1.1.7 - September 2014

• Expanded two-factor protection to ECP site.

Version 1.1.5 - April 2014

• Bugfixes.

Version 1.1.3 - April 2014

• Fixed double-prompt for primary credentials with some Exchange Server 2013 installations.
• Fixed installer issues on systems using certain international date formats.

Version 1.1.2 - January 2014

• Fixed time-synchronization with Duo's service.
• Fixed incorrect handling of client IP addresses.

Version 1.0.8 (for Exchange Server 2007) - January 2014

• Fixed an issue in which high usage could incorrectly cause Exchange Server to exceed its session limit.
• This was the last release for Exchange 2007.

Version 1.1.1 - November 2013

• Added support for Exchange Server 2013.
• Added fail-open mode.
• Fixed post-login redirection for deep links.
• Removed the option to strip Windows domains from usernames (superseded by the username normalization option for applications set in the Admin Panel).
• Removed support for Exchange Server 2007.

Version 1.0.6 - August 2013

• Added support for Duo's new enrollment frame.
• Fixed permissions errors when using multiple IIS Application Pools.

Version 1.0.5 - May 2013

• Fixed incorrect usage of persistent cookies.

Version 1.0.4 - August 2012

• Fixed a compatibility issue with HTTPS-only cookies.

Version 1.0.3 - June 2012

• Added an option to strip Windows domains from usernames.