Azure AD Cisco AnyConnect


We got excited seeing Azure Active Directory Integration with DUO (Directory Sync) thinking we could move away from needing to use our on premises servers. Our goal is to move everything we can to the cloud including our domain controllers (Azure AD).

It seems DUO and Azure AD can only be used as secondary authentication and you still need a primary authentication to occur first? I’m a bit confused on how we can use DUO with Azure AD. It seems we still need something on prem like a Proxy/MFA server? I got hopeful thinking we just set the primary authentication as Duo-LDAP and it would just work that way without needing anything onsite.


You’re correct; Duo only handles secondary authentication and you still need a separate identity source for primary authentication before continuing on to Duo 2FA (or else we’d be Uno Security).

You do not need to use the Duo customer control for Azure AD conditional access (which is only available in an Azure AD P2 Premium subscription) to add Duo protection to your Cisco AnyConnect VPN logins. In fact, you cannot use the Duo Azure CA control with AnyConnect (because the Azure control is compatible only with applications that show the Duo Prompt in a browser and AnyConnect doesn’t).

You can try this for AnyConnect though:

  1. Enable Secure LDAP in your Azure AD domain:

  2. Point your Cisco ASA to Azure AD over LDAPS for primary authentication.

  3. Proceed with adding secondary authentication via Duo’s LDAP configuration for Cisco:

Protecting web-based applications using Azure AD for primary authentication is the most popular use case for the Duo custom control for Azure CA. For example, if you have Office 365 your primary login is the Azure AD account associated with that O365 tenant. If you enabled the Duo custom control in an Azure AD conditional access policy then it would prompt for Duo after primary login with the Azure AD account.