Duo + Azure Conditional Access - Hybrid SSO Skipping MFA

I apologize if this question has been asked previously, I at least attempted some due diligence.

We have an On-prem AD Environment synced to our Azure AD tenant, with hyrbid join enabled for workstations and sync for user/group objects. Nothing exciting there.

Our AzureAD domain is Federated with PingFederate IDP - this results in users logging into SAML/OIDC protected applications being redirected to our IDP vs using the Microsoft Azure Native login page.

And finally, we have Duo Integrated into Azure Conditional Access as a custom MFA control, and have our campus IP space marked as trusted to avoid MFA prompts when internal.

Ping as IDP workflow:
App > Ping > Duo for Ping > App

Azure as IDP workflow:
App > Azure Redirect > Ping > Duo for Azure via CA > App

Once we started to Hybrid join our workstations to Azure AD (which automatically enables Azure SSO functionality), applications that we protect with AzureAD via SAML (Cisco AnyConnect for example) do not prompt users for DUO. The application is SSO’ed by the JWT on the Hybrid joined device and away they go. I mostly understand the WHY behind this - the Windows auth token is considering me a valid user as I made a MFA logon to another Azure protected App recently and is marking me as “good to go”.

The question is, what mechanisms do I have that would allow me to FORCE a duo prompt to the user for certain workflows in the event I needed to? So far the only way I have gotten this to work is by implementing a session duration limit of 1 hour on some applications. The end result is that users that login to the windows GINA have 1 hour to SSO into an application before they are prompted. Its pretty cheesy.

I realize this is a AzureAD/Conditional Access issue and not a DUO issue. I am asking this here in case someone else has come up with a neat workaround. It appears AzureAD treats 3rd party MFA significantly different in these workflows then their own MFA.

In summary, AzureSSO (enabled by the Azure Hybrid join process) will skip the 3rd party MFA custom control in conditional access at its leisure, and I cant figure out how to FORCE duo to prompt for workflows we require.

Hmm, that’s interesting. I haven’t found that to be the case (I’m using pure Azure auth with no other IdP’s in the mix, plus Duo via Conditional Access).
Just so I’m understanding the issue - you have sign-in frequency in CA set to 1 hour, and after a user logs in to the computer they are not prompted for MFA until after that first hour? If that’s the case, it looks like that is by design and that the Windows login counts as the start of that session: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime

What happens if you turn off the CA sign-in frequency setting altogether?