Duo Azure AD Single Sign On with Conditional Access and MFA

Duo Azure AD Single Sign On (SSO) integrates with Azure Active Directory to provide a seamless and secure sign-on experience for users.

This integration allows users to access Azure AD protected applications without having to enter their credentials multiple times.

By leveraging Duo's multi-factor authentication (MFA) capabilities, Duo Azure AD SSO provides an additional layer of security to protect against unauthorized access.

Conditional Access policies can be applied to enforce MFA requirements for specific users, groups, or applications.

Intriguing read: Azure Ad Sso

To get started with Duo Azure AD, you'll need to meet some prerequisites.

You'll need an active Entra ID P1 or P2 subscription that includes Conditional Access, with the P1/P2 licenses assigned to each user who will log in using Duo MFA.

Microsoft 365 E3, E5, and F3 plans, as well as Enterprise Mobility + Security E3 and E5 plans, and Microsoft Business Premium, all include Entra ID Premium.

You'll also need a designated Entra ID admin service account to use for authorizing the Duo application access.

Worth a look: Azure Ad Premium P2

This account needs the Entra ID Global Administrator role during Duo setup, but you can reduce the service account's role privileges later.

Here's a quick rundown of the plans that include Entra ID Premium:

This service account may or may not require Entra ID MFA for admins at login.

To configure Duo Single Sign-On (SSO) in Azure, you'll need to follow these steps. First, log into your Microsoft Azure administrative portal and click on the menu icon in the upper left-hand side of the page, then select Microsoft Entra ID.

To add a new application, click on Enterprise Applications, then + New application at the top of the screen. Select the Non-gallery application tile and type "Duo SSO" in the Name field.

You'll need to assign users and groups to the application, so click on Assign users and groups and select the users and groups that should have access to log in with Azure to Duo Single Sign-On.

Take a look at this: Azure Ad Groups

To configure SAML, select SAML on the "Select a single sign-on method" page, then on the "Set up Single Sign-On with SAML" page, copy the Entity ID and Assertion Consumer Service URL from the Duo Admin Panel and paste them into the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) fields in Azure, respectively.

You'll also need to add five additional claims: Email, Username, FirstName, LastName, and DisplayName, using the following attributes: user.mail, user.userprincipalname, user.givenname, user.surname, and user.displayname.

Leave all other fields empty and click Save and close the "Basic SAML Configuration" editor. Then, click the pencil icon next to "User Attributes & Claims" and delete the four default claims, then add the five additional claims.

Note: Duo Single Sign-On does not support an identity provider sending it a request, so do not click "Test" under step 5 to test your setup as it will fail.

Here is a summary of the claims you'll need to add:

Conditional Access is a powerful feature in Duo Azure AD that allows you to set policies that evaluate user access attempts to applications and grant access only when the access request satisfies specified requirements.

You can create custom controls for Microsoft Entra ID Conditional Access using Duo, which provides strong secondary authentication to Entra ID logons.

Duo's granular access policies and controls complement and extend the access controls in Entra ID, giving you more flexibility and control over who has access to your applications.

To create a new Duo Conditional Access policy, you'll need to click on Policies in the Entra ID admin center and then click New Policy. From there, you can enter a descriptive name for the new policy, like "Require Duo MFA".

Here's a step-by-step guide to creating a new Duo Conditional Access policy:

You can also prevent Entra ID from offering your users the option to set up the Microsoft Authenticator app for sign-in if you want them to use Duo instead.

To do this, you'll need to disable the registration campaign and system preferred multifactor authentication in the Entra ID admin center.

Here's how to disable the registration campaign:

And here's how to disable system preferred multifactor authentication:

Configuring multiple Duo CA policies is also possible, and you can create additional Duo custom controls with unique values.

To create an additional Duo custom control, you'll need to edit the custom control JSON text provided by Duo with some unique values before saving the new control.

Here's a step-by-step guide to creating an additional Duo custom control:

You can repeat this process as many times as you wish to create multiple Duo controls for use with Conditional Access policies.

To configure MFA with Duo and Azure AD, you'll need to set up Single Sign-On (SSO) on both ends. Start by configuring the Duo Single Sign-On app in Azure, which involves scrolling down to 1. Configure your SAML Identity Provider on the Single Sign-On Configuration page.

Recommended read: Configure Hybrid Azure Ad Join

On the "Basic SAML Configuration" page in Azure, you'll need to copy the Entity ID and Assertion Consumer Service URL from the Duo Admin Panel and paste them into the respective fields in Azure. Leave all other fields empty and click Save.

You'll also need to add five additional claims in Azure, including Email, Username, FirstName, LastName, and DisplayName. The table below shows the required information for each claim:

After adding all five claims, click the X icon to close the view.

Microsoft doesn't evaluate authentication with a custom control as part of a Conditional Access multifactor authentication claim requirement.

This means that custom controls, like the Duo custom control, can't satisfy a CA rule that requires "multifactor".

You can satisfy CA multifactor requirements with Duo MFA when you federate Entra ID/Microsoft 365 with Duo Single Sign-On.

Alternatively, you can federate Entra ID with Microsoft AD FS, install Duo for AD FS, and configure AD FS to pass an Authentication Method References claim for MFA back to Entra ID.

However, not all environments are created equal, and Azure Government Exclusion means the Duo custom control remains unavailable in Entra ID GCC.

You might enjoy: Azure Mfa Options

Creating an MFA Custom Control is a straightforward process that allows you to integrate Duo MFA with Microsoft's Conditional Access. You'll need to log in to your Entra ID tenant as a global administrator and navigate to Protection → Conditional Access.

To create the custom control, follow these steps:

You can repeat this process to create multiple Duo custom controls for use with Conditional Access policies. Just remember to edit the custom control JSON text provided by Duo with unique values before saving the new control.

To integrate Duo with your Microsoft 365 tenant, you'll need to add the Microsoft 365 Application to the Duo Access Gateway.

You'll first need to update the "Attributes" list for your Duo Access Gateway AD authentication source. Then, return to the Applications page of the DAG admin console session and click the Choose File button to upload the Microsoft 365 SAML application JSON file. This will add the Microsoft 365 SAML application to your Duo Access Gateway.

Related reading: Active Directory Azure Office 365

Once the application is added, you can proceed with enabling AD Federation to Microsoft 365 using Duo.

To do this, log on to the domain-joined computer where you installed the necessary tools and launch the Windows Azure Active Directory Module for Windows PowerShell. Enter the Connect-MsolService command and enter your Microsoft 365 administrator credentials for the domain you'll be configuring for SSO using Duo Access Gateway.

To verify that your Microsoft 365 domain is not currently federated, run the command get-msoldomain -domain your365domain.com. If it's not federated, you can proceed with the rest of the steps.

Here are the federation parameter values you'll need to gather:

Set these parameters as PowerShell variables, then verify that they're set correctly. Finally, run the command Set-MsolDomainAuthentication to convert your Microsoft 365 domain to Federated authentication.

To test your Duo Azure AD setup, log in to Entra ID as a user assigned the Duo MFA policy. This will trigger the Duo Prompt or Duo user enrollment, depending on your configuration.

If this caught your attention, see: Azure Ad User

If you applied the Duo Conditional Access policy to "All cloud apps", you'll be redirected to the Duo Prompt after submitting your primary Entra ID credentials. Completing Duo authentication will return you to Entra ID to complete your login.

If you applied the policy to specific applications, accessing the protected application from within the Office portal after logging in will prompt for Duo MFA. Alternatively, accessing the protected application directly will also trigger the Duo Prompt.

Navigating to https://login.microsoftonline.com will automatically redirect you to your Duo Access Gateway sign-in page to complete authentication. This is a good way to verify Single Sign-On (SSO) functionality.

Related reading: Entra Id vs Azure Ad

To create a Duo Security installer for Intune deployment, start by downloading the Duo Authentication for Windows Logon and RDP files from the Duo Security website. The direct download link is https://dl.duosecurity.com/duo-win-login-latest.exe.

You'll need to copy the downloaded file to an empty folder and then create a .intunewin package using the Intune content preparation tool. The command to create the package is: Rule type: File, Path: C:\Program Files\Duo Security\Windows Logon, File or folder: DuoCredFilter.dll, Detection method: File or folder exists.

To deploy the Duo installer via Microsoft Intune, open Microsoft Endpoint Manager and navigate to the Apps section. Click on + Add and select Windows App (Win32) as the app type. Then, select the .Intunewin file you created earlier and set the app package file.

Curious to learn more? Check out: How to Create a Group in Azure Ad

To create a Duo Security installer for Intune deployment, you'll need to download the Duo Authentication for Windows Logon and RDP files from the Duo Security website. The direct download link is https://dl.duosecurity.com/duo-win-login-latest.exe.

You'll need to copy the downloaded file to an empty folder and then create a .intunewin package using the Intune content preparation tool. The command to create the package is specific to the version of Duo you're using, so be sure to replace the version number with the current version.

For example, if you're using version 4.2.0, your command might look like this:

Rule type: File

Path: C:Program FilesDuo SecurityWindowsLogon

File or folder: DuoCredFilter.dll

Detection method: File or folder exists

You'll also need to include DuoCredProv.dll in the package.

Here's a summary of the files you'll need to include:

Once you've created the package, you can deploy it via Microsoft Intune.

The network diagram is a crucial part of the Entra ID authentication process. It outlines the sequence of events that occur when a user attempts to access a Microsoft Online or other service.

Here's a simplified breakdown of the network diagram:

1. The user accesses Microsoft Online or other services using Entra ID authentication.

2. The user submits their primary Entra ID credentials.

3. An Entra ID Conditional Access policy redirects the client browser to Duo.

4. The user receives the Duo Prompt and submits factor selection.

5. The user receives a Duo Push authentication request on their device.

6. Authentication approval is returned to the Duo service.

7. Secondary authentication approval is returned to the client.

8. The client sends the Duo approval back to Entra ID.

9. Entra ID grants application or service access once the Duo Conditional Access policy is satisfied.

This process may seem complex, but it's actually a robust security measure that helps protect user accounts and data.

A unique perspective: Get Azure Ad User

Duo Azure AD is a cloud-based identity and access management solution that integrates with Azure Active Directory (Azure AD) to provide a seamless and secure user experience.

Duo's integration with Azure AD allows for single sign-on (SSO) across multiple applications and services, eliminating the need for multiple usernames and passwords.

This integration also enables conditional access policies, which allow administrators to control access to specific resources based on user identity, device, and location.

Duo's cloud-based architecture ensures scalability and reliability, making it an ideal solution for organizations of all sizes.

Duo's support for Azure AD's multi-factor authentication (MFA) capabilities adds an extra layer of security to the login process, protecting against phishing and other types of attacks.