Duo for Azure AD not passing authentication back to the CA Policy


I have an issue with a Duo Implementation with Azure AD and a conditional access policy. For authentications with a Mobile phone app, the users are presented the login screen for Azure AD, enters the password, and then presented the Duo options. They push the prompt, and approve it. From there, the log in Azure shows that the MFA was not satisfied even though the user approved the login.

This works fine on workstations, laptops/desktops. Just on mobile phone apps that support Modern Authentication.


Are the mobile users blocked from completing log in to Azure when this happens?

Do you also have any CA policies applied to mobile app sign-in with the “Require multifactor authentication” access control?

Azure does not recognize the Duo custom control for CA (or any third-party custom control) as “multifactor authentication”, so if you have a CA policy applied that includes the “Require multifactor authentication” rule, then it can’t be satisfied by third-party custom controls.

The information here describes Microsoft’s limitations for custom controls.