Duo Integration with ADFS


#1

We have a New Use case requested by customer. Mentioned below the details.

Initial Use Case Concern:

Customer had hosted O365 webmail in Okta. We had integrated Duo with Okta to have MFA enabled for O365. The concern raised was that external users
trying to access the webmail from outside were prompted thrice for authentication (Okta->Duo->O365) this was a pain point for the customer. So we were looking for an alternative solution.

Current Use Case :
We found that Duo has the capability to integrate with ADFS directly to protect Browser based federated logins like O365.We are in the process of getting this POC executed.Customer wants to make sure that he will not have to authenticate with Duo to access his mailbox through Outlook. He should only have to authenticate with Duo if he tries to access his mailbox with OWA. This is mainly for Users accessing from external devices. Can you kindly share your inputs on this? Will there be any concern for Users using outlook too if Duo plugin has been installed on ADFS?.


#2

Hi Vignesh_S,

AD FS v3+ supports very granular multifactor authentication rules, where one can require (or specifically bypass) MFA for users, groups, networks, subnets, authentication endpoints, user agents, etc.

I suggest you familiarize yourself with Modern Authentication for Office 365 clients , read through our Office 365 documentation, and then take a close look at our Guide to Advanced AD FS MFA configuration. I think these will answer many of your questions.

Thanks for trying Duo!


#3

Thank you, Kristina. I had gone through the docs. I have couple of clarifications here.

  1. The requirement is that users who are accessing via the external proxy with the help of web browsers need to have 2fa enabled for O365. I do see a Custom Rule for that.But, we also do have endpoints which have active sync enabled. Does executing this Rule affect the Active Sync endpoints too which access O365 via outlook or any other mail applications?

  2. I also do see a custom rule to globally disable 2FA on ActiveSync and Autodiscover endpoints while requiring 2FA for all other connection types.Does executing this Rule affect endpoints like outlook 2016 applications hosted in Windows machines?

The Ultimate solution which we are expecting is, Users should only be prompted for 2fa if he is using OWA to access his mailbox.


#4

If modern authentication is enabled on the tenant then Outlook 2016 clients perform a passive logon using the web endpoint. Therefore, if you were to apply an additional authentication rule that issues a claim for MFA to web logins, this would also affect Outlook 2016. This is

There are multiple options available from Microsoft here. The claims rules options available in AD FS are highly flexible. You could not enable modern auth on the Exchange Online tenant and then apply a rule that issues MFA claims for web access. The Outlook 2016 clients will continue to use basic authentication and remain unaffected. Or, you could apply a rule that issues an MFA claim for web access and specifically exclude the Outlook user agent, or apply a rule that issues MFA claims for web access (which would include Outlook 2016) but only for external WAP access, etc.

While we’ve demonstrated some of the additional authentication rules we commonly see our customers using, the rules you ultimately implement are highly dependent on your individual deployment and goals. You may need to do some experimentation, consulting the Microsoft documentation for constructing access rules in AD FS as well as their guidance for modern authentication in Office clients to find your optimal configuration.

You may find these other references helpful as well: