04-09-2019 06:48 AM
I’ve set up a trial of Duo with the intention of enabling MFA for Office 365.
We primarily use Outlook, but some users also access via OWA.
I am not linking Duo to an on-prem AD.
I have enabled Duo with conditional access in Azure AD, currently for 1 test user. using the supplied JSON script, ticking the following cloud apps: Email, Office 365, Exchange online, Sharepoint online
and the following conditions: client apps -> all ticked (except apply policy only to supported platforms - which I left unticked)
When attempting to access via the Office 365 portal it prompts for MFA correctly.
However, I can install Office on a test PC using the account and it lets me in to Outlook without any MFA prompt!
Have I missed something here ?
Thanks…
04-09-2019 08:46 AM
Have you tried using the “What if?” tool in Conditional Access to make sure you’re hitting the right policy?
04-09-2019 09:07 AM
yes, no matter what combination I try it always reaches the require duo mfa policy.
but Oulook (v 1903 / feb 2019), android mail app, iphone mail app, google mail app - all still allow authentication with just the basic credentials
04-09-2019 04:49 PM
Do you have Modern Authentication enabled for your Office 365 tenant?
04-10-2019 12:05 AM
That’s a good question. Just realised we don’t. I will look at enabling.
However, enabling modern-auth in the tennant does not prevent clients continuing to use basic auth.
My point is that a potential attacker could gain access posing as an outlook client bypassing MFA.
the conditional access should prevent such logins given that I have it set in the conditional access to force MFA (duo) on all client apps and cloud apps. yet it is only impacting cloud apps.
04-10-2019 12:38 AM
pgp - your answer led me to the solution.
For anyone experiencing the same issue:
enable modern auth in the tennant
https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online
set up conditional access policies to force MFA on specific users
disable basic auth (also done via conditional policy - set to block)
https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-AD-Conditional-Access-support-for-blocking-legacy-auth-is/ba-p/245417
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: