cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1406
Views
3
Helpful
5
Replies

Azure AD web login MFA and Duo

pgp
Level 1
Level 1

Can (or will) Duo be an equal choice along with Azure’s MFA?

Today, if one is doing a plain non-federated login at https://login.microsoftonline.com/ and the account has Azure MFA configured, it appears that Duo can’t be set up to satisfy (some?) Azure MFA requests.

We have Duo configured in our Azure AD Tenant and my account requires it. When I login, I get the Duo page and do that, all good. But if I then visit https://myaccount.microsoft.com/ and try to view my ‘Security info’, I have to use one of the Azure MFA methods which I previously configured on that security page.

-Phil

1 Accepted Solution

Accepted Solutions

Hello @pgp ,

You’re right. In the current custom MFA controls for conditional access feature, third-party controls like Duo’s are unable to satisfy the multipleauthn authentication method reference (AMR) claim requirement that lets Azure recognize these controls as satisfying an MFA requirement. This constraint is briefly described in the second bullet here.

Today we do not have much more information about Microsoft’s timeline for the successor to the current custom controls solution than what’s in the 2020 post.

Duo, not DUO.

View solution in original post

5 Replies 5

Amy2
Level 5
Level 5

Hi Phil, thanks for sharing your question here. I don’t know the answer to this myself, but I will take it back to the team and look into it for you. Just wanted you to know I saw your post and am working on getting the solution!

Amy2
Level 5
Level 5

Hi again, I have a few follow-up questions if you don’t mind. This will help us with sorting out what’s going on here I was reading Microsoft’s documentation about security info and codes and I just wanted to confirm you removed the Azure MFA methods you previously configured? Also, how long ago did you remove those?
I noticed on the page:

Note: If you request removal of all security info in your account, the info doesn’t actually change for 30 days. During this time, we cannot accept further changes or additions to security settings or billing info.

So depending on when you removed those from your profile, you might still be prompted if you are within the 30-day window.

Not directly answering your questions, but maybe this will help explain: I’m looking for the “upcoming changes” to be implemented that Microsoft mentions in Upcoming changes to Custom Controls. That work sounds like it would give Duo parity with Azure MFA.

Ah ok, that does help. I definitely misunderstood your question. Thank you for clarifying!

Yes, you’re exactly right. Since this is dependent on the changes that Microsoft is making, and I unfortunately do not have visibility into the status of those changes, I don’t have a timeline or estimate to share of when that would be available.

Hello @pgp ,

You’re right. In the current custom MFA controls for conditional access feature, third-party controls like Duo’s are unable to satisfy the multipleauthn authentication method reference (AMR) claim requirement that lets Azure recognize these controls as satisfying an MFA requirement. This constraint is briefly described in the second bullet here.

Today we do not have much more information about Microsoft’s timeline for the successor to the current custom controls solution than what’s in the 2020 post.

Duo, not DUO.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links