Duo Integration with ADFS


#1

We have a New Use case requested by customer. Mentioned below the details.

Initial Use Case Concern:

Customer had hosted O365 webmail in Okta. We had integrated Duo with Okta to have MFA enabled for O365. The concern raised was that external users
trying to access the webmail from outside were prompted thrice for authentication (Okta->Duo->O365) this was a pain point for the customer. So we were looking for an alternative solution.

Current Use Case :
We found that Duo has the capability to integrate with ADFS directly to protect Browser based federated logins like O365.We are in the process of getting this POC executed.Customer wants to make sure that he will not have to authenticate with Duo to access his mailbox through Outlook. He should only have to authenticate with Duo if he tries to access his mailbox with OWA. This is mainly for Users accessing from external devices. Can you kindly share your inputs on this? Will there be any concern for Users using outlook too if Duo plugin has been installed on ADFS?.


#2

Hi Vignesh_S,

AD FS v3+ supports very granular multifactor authentication rules, where one can require (or specifically bypass) MFA for users, groups, networks, subnets, authentication endpoints, user agents, etc.

I suggest you familiarize yourself with Modern Authentication for Office 365 clients , read through our Office 365 documentation, and then take a close look at our Guide to Advanced AD FS MFA configuration. I think these will answer many of your questions.

Thanks for trying Duo!


#3

Thank you, Kristina. I had gone through the docs. I have couple of clarifications here.

  1. The requirement is that users who are accessing via the external proxy with the help of web browsers need to have 2fa enabled for O365. I do see a Custom Rule for that.But, we also do have endpoints which have active sync enabled. Does executing this Rule affect the Active Sync endpoints too which access O365 via outlook or any other mail applications?

  2. I also do see a custom rule to globally disable 2FA on ActiveSync and Autodiscover endpoints while requiring 2FA for all other connection types.Does executing this Rule affect endpoints like outlook 2016 applications hosted in Windows machines?

The Ultimate solution which we are expecting is, Users should only be prompted for 2fa if he is using OWA to access his mailbox.


#4

If modern authentication is enabled on the tenant then Outlook 2016 clients perform a passive logon using the web endpoint. Therefore, if you were to apply an additional authentication rule that issues a claim for MFA to web logins, this would also affect Outlook 2016. This is

There are multiple options available from Microsoft here. The claims rules options available in AD FS are highly flexible. You could not enable modern auth on the Exchange Online tenant and then apply a rule that issues MFA claims for web access. The Outlook 2016 clients will continue to use basic authentication and remain unaffected. Or, you could apply a rule that issues an MFA claim for web access and specifically exclude the Outlook user agent, or apply a rule that issues MFA claims for web access (which would include Outlook 2016) but only for external WAP access, etc.

While we’ve demonstrated some of the additional authentication rules we commonly see our customers using, the rules you ultimately implement are highly dependent on your individual deployment and goals. You may need to do some experimentation, consulting the Microsoft documentation for constructing access rules in AD FS as well as their guidance for modern authentication in Office clients to find your optimal configuration.

You may find these other references helpful as well:



#5

Hi Kristina,

I have setup a lab environment with internal and external traffic.As per our requirement we will need to enable MFA only for external users trying to access O365 over web browsers and also to disable MFA for ActiveSync enabled devices.I had tried multiple combination of claim rules and find the below one more apt. But I do see Outlook(Mobile and Desktop) applications also prompting for MFA once this rule is fired.I understand, both Web Browsers and Outlook 2016 (and patched 2013 clients on PC) all look like Web Browsers while Modern Authentication is turned on. Is there a way I can write a rule to disable MFA for external Outlook clients and enable MFA only for external Web Browsers?. Mentioned below my Rule. Can you help me out here.

Set-AdfsRelyingPartyTrust -targetname “Microsoft Office 365 Identity Platform” -ad■■■■onrules ‘exists([Type == “http://schemas.microsoft.com/ws/2012/01/in■■■■”, Value == “false”]) && exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path”, Value =~ “(/adfs/ls)|(/adfs/oauth2)”]) && NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value == “Microsoft.Exchange.ActiveSync”]) && NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value == “Microsoft.Exchange.AutoDiscover”]) => issue(Type = “http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod”, Value = “http://schemas.microsoft.com/claims/multipleauthn”);’

Regards
Vig


#6

@vigsuk

I can think of two options:

  1. Create a rule that incorporates http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent to exclude the useragent for your Office 2016 applications. You’ll need to enable AD FS trace logging and examine your incoming authentications to get the exact useragents for the Outlook clients in your org. Keep in mind that useragents are trivially spoofable (like with a browser extension)

  2. Disable modern auth on your Office 2016 clients via the registry, so they will revert to basic authentication. https://support.office.com/en-us/article/how-modern-authentication-works-for-office-2013-and-office-2016-client-apps-e4c45989-4b1a-462e-a81b-2a13191cf517


#7

Hi Kristina,

Currently our customer is using Office2013 and I have also verified our tenant and it is not Modern Authentication enabled.

In my test setup.I have disabled Modern Authentication on my tenant.I have integrated Duo with ADFS.Tested few things and mentioned below the output.

–Connection via browsers prompted for Duo MFA options.
–Clients like Outlook2013 just prompted for basic authentication to login into the mailbox(Checked internally).
–Tried logging in using Outlook app for Android & IOS and was prompted for Duo MFA.
–For Active Sync device I was not able authenticate.It said username/Password incorrect(Used the same earlier which was successful before disabling Modern Auth)

As per for our current stand and requirement to just enable Duo MFA for external users via Web Browsers with Modern Auth Disbaled for our
O365 tenant and we use Office2013 for now.Will this server as a better solution ?.Need to do some more testing but wanted your opinion whether we might face any issues on this?

Regards
VigSuk


#8

You’d still need to construct a rule to exempt ActiveSync clients, which cannot show the MFA prompt.


#9

Hi Kristina,

I had enabled the registry settings for the Outlook 2013 client but still I dont see the interception for 2fa for Duo.I do have the recommended version of Outlook which is above 15.0.47.Do we need anything else to be done?


#10

I don’t understand. You said you wanted “Clients like Outlook2013 just prompted for basic authentication” so then not sure why you would expect the 2013 clients to see Duo 2FA. Did your requirements change since your last comment?


#11

Hi Kristina,

I Apologize for not giving out more details.I would like to clarify on things below.

Firstly, I had mentioned earlier that our tenant was not Modern Authentication enabled.But in Duo Documentation It has been mentioned that Office 2013 and 2016 desktop applications (including Outlook and Skype for Business) can connect to Office 365 after Duo AD FS adapter installation only if Modern Authentication is enabled for your Office 365 tenant and also I had received a note from Duo support that, with modern auth disabled, we can expect to see some unexpected behaviors as there would be no guarantee that microsoft services would know how to process a multifactor auth. So, I had wanted to test the setup and went ahead and enabled Modern Authentication for our tenant and also changed the required registry setting for Office2013. I had also checked the office version and it was above 15.0.4753.1001 as mentioned by Microsoft. But still I dont see the MFA prompt for Outlook 2013.It would be great if you can let me know if I am missing out anything here.

Also, As per our requirement we just want to enable 2fa for external browser clients.But since it would be difficult for us to execute a rule to exempt Outlook mail clients alone who logs in from external network since browser and outlook clients will be hitting the passive endpoints.I would like to know if I can go ahead and enable Modern auth for our tenant and if I do not enable the registry settings for Outlook2013, Will I be able to connect to Office365 without any issues after enabling Duo?

I have the below ADFS rule in place to allow access to external clients only and to disable MFA for Active sync enabled devices.

Set-AdfsRelyingPartyTrust -targetname “Microsoft Office 365 Identity Platform” -ad■■■■onrules ‘exists([Type == “http://schemas.microsoft.com/ws/2012/01/in■■■■”, Value == “false”]) && exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path”, Value =~ “(/adfs/ls)|(/adfs/oauth2)”]) && NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value == “Microsoft.Exchange.ActiveSync”]) && NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value == “Microsoft.Exchange.AutoDiscover”]) => issue(Type = “http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod”, Value = “http://schemas.microsoft.com/claims/multipleauthn”);’

Regards
Vignesh


#12

It is unclear at this point if you have enabled modern auth on your Exchange Online tenant or not, as in your last post you say both “I had wanted to test the setup and went ahead and enabled Modern Authentication for our tenant” and “I would like to know if I can go ahead and enable Modern auth for our tenant”.

If you have not enabled modern auth in your tenant then Outlook 2013 will not show an MFA prompt. If you do not enable modern auth in your tenant and you have only Outlook 2013 clients and you have crafted your relying party authentication rules to exempt Active Sync (basic auth) clients from MFA, and you do see the Duo prompt in web browser O365 logins, then your work is done.

Outlook 2016 will want to use modern auth for a new profile by default. You can force Outlook 2016 to use basic auth only by creating the same reg key you create for 2013 to enable ADAL, but you just set it to 0 to disable ADAL (#2 here).

If you did enable modern auth in your tenant and you created the EnableADAL reg value set to 1 don’t see the web login prompt in Outlook 2013, are you testing with an existing profile or a new one? We’ve seen that Exchange clients continue to use whatever authentication method was used at setup. An ActiveSync client profile won’t automatically switch to use modern auth. You’d need to delete the mail client profile, and also check Control Panel > Credential Manager and remove any cached entries for O365/Exchange Online. Then launch Outlook and add the account again. At that point your should see the modern auth prompt (assuming the EnableADAL reg value was created correctly).


#13

Hi Kristina,

With regards to you doubt, In first para,I had mentioned I have enabled Modern Auth for my Lab Setup for testing purpose. Last Para, I would like to know if I can go ahead and enable Modern auth for our tenant in production and if I do not enable the registry settings for Outlook2013, Will I be able to connect to Office365 without any issues after enabling Duo?

Also,With regards to your comment on deleting the mail profile to enable Modern Auth. Customer is already in production.So, I am not sure how we can go about doing this.

Regards
Vignesh


#14

If you do not set the EnableADAL reg value and you exclude ActiveSync from MFA in the AD FS rule then yes, enabling modern authentication in production should let Office 2013 clients continue to connect.

If you don’t want Office clients to use modern authentication, there is no need to enable it in the tenant. However, if you go this route then you’d need to disable ADAL on 2016 clients via the same registry value you use to enable ADAL on 2013 clients.

If you do what I have just described, then there would be no reason to delete mail profiles. I only mentioned that in connection with modern authentication. If the customer ever wants to see the modern authentication prompt in Outlook 2013/2016, they may need to delete and recreate existing mail profiles. How would they go about doing this? They would need to provide instruction to the users.

If you have more questions about this you might want to contact Microsoft, as all of these are really questions about AD FS and Office 365 with an MFA provider, which may or may not be Duo (that is to say, the way AD FS and Office 365 and Office clients handle basic auth, passive web auth, modern auth & ADAL, additional authentication rules for AD FS, and the multipleauthn claim all happen BEFORE a particular vendor’s multifactor adapter is initialized).

Thank you for looking at Duo.


#15

Thank you, Kristina!!.Really Appreciate your help!

Regards
Vignesh