Azure AD: "Unable to determine 'Company Administrator' DirectoryRole member list."

ntroy · January 15, 2021, 2:23pm

We’ve followed this documentation (Microsoft Azure Active Directory | Duo Security) as closely as possible, however as soon as we finish step 6 under Microsoft Azure Active Directory | Duo Security the following error message occurs: “Unable to determine ‘Company Administrator’ DirectoryRole member list.” It is displayed at the top of the Duo Security Applications page, and the new application does not appear on that page.

We are using a dedicated, global administrator account when authorizing with Duo, and looking in Azure AD, we can see that the Duo application has been created within Azure and properly assigned to our user. We’ve tried clearing all cookies and data from the browser and starting not signed into Azure, we’ve tried removing everything created by Duo within Azure and trying again from scratch, we’ve even tried creating the “Company Administrator” role…

Long story short, we’ve done our best to resolve this issue, but have been unsuccessful, and cannot find any previous documentation on it online. Any help, suggestions, or advice you can give would be greatly appreciated! Thank you!

bpfoley · January 16, 2021, 12:58am

I too have run into this issue. I know the process worked before as I added the Azure Application about a year ago and it is still working to this day. I wanted to add an additional Azure Application to begin testing the new Universal Prompt by using Conditional Access to point a few people/apps to the new integration…but I am getting the same error as you mentioned and have followed much of the same troubleshooting you have to no avail.
I wonder if this is leveraging the Graph API and some scopes may have changed on the Microsoft end that Duo was expecting.

mpearl · January 18, 2021, 7:18am

I am also experiencing this issue. I contacted Duo support and they advised that they are aware of a handful of these cases and have escalated this to the developers for review.

They seem to be in agreement with bpfoley that Microsoft may have changed something.

Hope it’s solved soon as I much prefer Duo over Microsoft Authenticator.

daveusrfer · January 19, 2021, 9:18pm

I have this issue too! I have multiple Azure tenants that have worked successfully, but there’s a few that this error comes up in Duo.

Amy · January 19, 2021, 10:04pm

Hi everyone! It looks like this is still under review by our developers, and there hasn’t been an update yet. I know many of you on this thread mentioned you have open support cases already. That’s great! If you do not, please be sure to contact Duo Support and open an official case, so they can troubleshoot this with you. That also ensures you’ll be notified as soon as a fix is available.

daveusrfer · January 19, 2021, 10:37pm

Thanks Amy. I’ve submitted a support requested today regarding this. I think we’ll be using Microsoft MFA authentication for the problematic Azure AD tenants in the meantime till this gets resolved.

ntroy · January 21, 2021, 5:59pm

Just a heads up, the issue now appears to be fixed as of today, Jaunuary 21, 2021. Thank you to everyone who worked on this issue, and got it resolved so quickly!