Duo Trusted Endpoints – Microsoft Edge for Business Device Trust Connector

Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known managed browsers can access Duo protected services. When a user authenticates via the Duo Universal Prompt, we'll check for the access browser's management status. You can monitor access to your applications from trusted and untrusted browsers and optionally block access from browsers not trusted by your organization.

Trusted Endpoints is part of the Duo Essentials, Duo Advantage, and Duo Premier plans.

Overview

The Microsoft Edge for Business Device Trust Connector is a browser-backed method of device identity and status confirmation. When a user authenticates via the Duo Universal Prompt using a managed Edge for Business browser, this connector integration attests that the Edge for Business browser is enrolled in enterprise device management and is therefore compliant with all enterprise policies.

Prerequisites

• The protected application must have the Duo Universal Prompt enabled.
• Access to the Microsoft Entra Admin Center as an administrator with the Global Administrator role.
• Access to the Microsoft 365 Admin Center as an administrator with the Global Administrator role.
• Access to the Duo Admin Panel as an administrator with the Owner, Administrator, or Application Manager administrative role.
• Windows OS endpoints which are supported by the Edge for Business browser. Please review the Microsoft Edge supported Windows version information.

Create the Microsoft Edge for Business Device Trust Connector Integration

1. Log in to the Duo Admin Panel and navigate to Devices → Trusted Endpoints.
2. If this is your first management integration, click the Get started button at the bottom of the Trusted Endpoints introduction page. If you're adding another management integration, click the Add Integration button you see at the top of the page instead.
3. On the "Add Management Tools Integration" page, locate Microsoft Edge for Business Device Trust Connector in the list of "Device Management Tools" and click the Add this integration selector.
4. Choose Windows from the "Recommended" options, and then click the Add button.

The new Microsoft Edge for Business Device Trust Connector integration is created in the "Disabled" state. You'll turn it on when you're ready to apply your Duo trusted endpoints policy.

During setup, keep the Duo Admin Panel open in your browser. You'll need to refer back to the "Edge for Business Device Trust Connector integration" page to complete the Microsoft Entra configuration steps.

Create a New App Registration in Microsoft Entra

1. In the Microsoft Entra admin center, navigate to Applications → App registrations → New registration.
2. Register your new application. Allow access to “Accounts in any organizational directory (Any Microsoft Entra ID tenant – Multitenant)”.
3. Navigate to the newly created app registration. Use the left-side navigation, under Manage, go to Certificates & Secrets. Create a new client secret for your application to be used in a later step.
4. In the left-side navigation, go to Manage→ API Permissions. Configure the required permissions on your newly created app registration to give the application permissions to access the Device Trust API.
5. Search for the “Microsoft Edge management service” in the APIs my organization uses tab. Click on the resulting row. Note: If you don’t see the application, you will first need to add it to your tenant.

If you can’t find the Microsoft Edge management Service in your tenant, you must add the application to your tenant to see it.

1. Navigate to Microsoft Graph Explorer and sign in with your account.

2. Change the reqest URL in Graph Explorer to https://graph.microsoft.com/v1.0/servicePrincipals.

3. Copy the following and paste it into the Request body area, and then click Run query.

   {
        App ID is ff846ae4-7ec9-42f4-8576-eb14198ad5e1
   }

   

4. Click on the Graph Explorer Modify permissions tab. Select Application permissions from the list, and then add the “DeviceTrust.Read.All” permission. After completing this step, you should see the Microsoft Edge management service in your tenant.

Create a New Policy in Microsoft 365

1. Log in to the Microsoft 365 Admin Center and navigate to the Microsoft Edge settings page.
2. Navigate to the Configuration policies tab, click Create policy.
3. (Optional) After saving, click on your newly created policy, navigate to the Group assignment tab, and select a group that your policy will be assigned to.
4. After creating a policy, navigate to the Connectors tab on the "Microsoft Edge settings" page and click on the Set up button under the Cisco Duo Device Trust connector.
5. Search for the policy you’ve created in step 2 in the “Choose Policy“ dropdown and paste https://duosecurity.com in the URL patterns to allow field.
6. Click the Save configuration button. You should now see the Cisco Duo Device Trust connector appear under the “Installed Connectors” section.

Register Your Microsoft Entra Application with Duo

1. Return to your "Edge for Business Device Trust Connector management integration details" page in the Duo Admin Panel. Scroll down to the section labeled “Register Microsoft Entra Application with Duo”.
2. Enter the Tenant ID, Client ID, and Client Secret values from the application you created earlier.
3. Click the Test Configuration button to verify your setup. If you do not receive a "Configuration Successful!" message, double-check that you provided the right application information.
4. If testing your configuration was successful, click Save & Configure.

Finish Trusted Endpoints Deployment

After creating the Edge for Business Device Trust Connector integration, set the Trusted Endpoints policy to start checking for Edge browser enrollment as users authenticate to Duo-protected services and applications.

When your trusted endpoints policy is applied to your Duo applications, return to the Edge for Business Device Trust Connector Trusted Endpoints integration in the Admin Panel. The "Change Integration Status" section of the page shows the current integration status (disabled by default after creation). You can choose to either activate this integration only for members of a specified test group or groups or activate for all users.

The Device Insight and Endpoints pages in the Duo Admin Panel show which access devices are verified.

Verify Your Setup

Authenticate to a protected application using a managed Edge for Business browser.

When the Trusted Endpoints policy is set to “Allow all endpoints”, users receive access to the application (assuming the managed Edge browser passes all other policy verification), and Duo records the trusted or untrusted status of that browser.

If the Trusted Endpoints policy is set to "Require endpoints to be trusted" and Duo successfully verifies the managed Edge for Business browser's management status and configuration against the required policy settings, then the user receives access to the protected application.

If the managed Edge for Business browser fails the configuration and policy checks, then Duo will deny access to the application from the unmanaged browser.

Troubleshooting

Need some help? Take a look at our Trusted Endpoints Knowledge Base articles or Community discussions. For further assistance, contact Support.