Duo + ADFS 3.0 outlook 2016 with password promp

zikaziv1 · ‎04-29-2018

Hi,
I want to run Duo in our organization. We’re using Office365 and AD FS 3.0 with SSO.
I read the documentation and tried to enable the plugin only on specific group. After installing the plugin and enabled MFA.

Suddenly outlook started to prompt to enter my user and password.
I disabled the plugin and it stopped.

Any idea?
Please help
Zee

Dooley · ‎04-30-2018

Hi Zikaziv,
You may find this information from our AD FS documentation is helpful in understanding and resolving your issue:

Note that any MFA assignments made via the Global Authentication Policy editor are effectively “OR” rules, so each individual condition always applies. If you were to add a specific group (like ACME\Duo_Users) to the Users/Groups section, and then also check the box for the Extranet location, you may expect that the net effect is that members of the ACME\Duo_Users who access AD FS externally require MFA while members of that group accessing AD FS internally and any user who is not a member of that group do not require MFA. Since the GUI creates “OR” rules instead of “AND” rules the net effect is actually that members of ACME\Duo_Users always require MFA regardless of location, while users not in the ACME\Duo_Users group accessing AD FS externally also require MFA.

If you’re not expecting to be prompted, please ensure you have not checked the relevant Extranet or Intranet box as well, as it could be the reason you’re being prompted.