Hoping someone else has run into this…
So we are integrating Duo with Office 365 via Azure AD Conditional Access policies. Our Azure AD is currently integrated with our AD via ADFS 3.0 environment. The problem we’re running into is the O365 thick clients (Outlook / Skype / Teams) are prompting users for credentials when it shouldn’t.
- User launches Outlook/Teams/Skype
- Client pops up the Microsoftonline login window asking for email address
- User provides company email and is redirected to our ADFS login page
- ADFS Login page prompts for username/password
- Duo prompts
- User is logged in.
The problem is Step 4 shouldn’t happen if the user is on our internal network. ADFS uses “windows authentication” when you’re on the internal network which allows for transparent login (user doesn’t type in credentials). This works perfectly for websites, like Outlook.office.com or any other web based app we have integrated with Azure AD, but not the Outlook/Skype/Teams clients.
Anyone run into this and find a way to fix it? I really don’t want people having to log into Office more often just because of Duo (even if it is once every 60-90 days).