I apologize if this question has been asked previously, I at least attempted some due diligence.
We have an On-prem AD Environment synced to our Azure AD tenant, with hyrbid join enabled for workstations and sync for user/group objects. Nothing exciting there.
Our AzureAD domain is Federated with PingFederate IDP - this results in users logging into SAML/OIDC protected applications being redirected to our IDP vs using the Microsoft Azure Native login page.
And finally, we have Duo Integrated into Azure Conditional Access as a custom MFA control, and have our campus IP space marked as trusted to avoid MFA prompts when internal.
Ping as IDP workflow:
App > Ping > Duo for Ping > App
Azure as IDP workflow:
App > Azure Redirect > Ping > Duo for Azure via CA > App
Once we started to Hybrid join our workstations to Azure AD (which automatically enables Azure SSO functionality), applications that we protect with AzureAD via SAML (Cisco AnyConnect for example) do not prompt users for DUO. The application is SSO’ed by the JWT on the Hybrid joined device and away they go. I mostly understand the WHY behind this - the Windows auth token is considering me a valid user as I made a MFA logon to another Azure protected App recently and is marking me as “good to go”.
The question is, what mechanisms do I have that would allow me to FORCE a duo prompt to the user for certain workflows in the event I needed to? So far the only way I have gotten this to work is by implementing a session duration limit of 1 hour on some applications. The end result is that users that login to the windows GINA have 1 hour to SSO into an application before they are prompted. Its pretty cheesy.
I realize this is a AzureAD/Conditional Access issue and not a DUO issue. I am asking this here in case someone else has come up with a neat workaround. It appears AzureAD treats 3rd party MFA significantly different in these workflows then their own MFA.
In summary, AzureSSO (enabled by the Azure Hybrid join process) will skip the 3rd party MFA custom control in conditional access at its leisure, and I cant figure out how to FORCE duo to prompt for workflows we require.