Duo Single Sign On with O365/M365: Bypass for unenrolled Duo users?

I have a question regarding Duo Single Sign On for O/M365: Duo Single Sign-On for Microsoft 365 | Duo Security. We have around 300 users in O/M365. All users are on a single, custom domain. We currently only have 20 users onboarded in Duo. If we enable Duo Single Sign On for O/M365, will users who are not onboarded in Duo be able to bypass 2FA/enrollment and just sign in without 2FA? The reason I ask is that we would like to enable Duo Single Sign On for just the users who are onboarded in Duo. So we’re not sure what happens to a user who is not onboarded/enrolled in Duo when Duo Single Sign On is enabled. Thanks.

Hi @peter-supply,

When you federate M365 to a third-party IdP, it is all-or-nothing for that particular domain. This means that all users will see the Duo SSO username/password flow.

You can however allow users to bypass enrollment and MFA by setting the New User Policy to “Allow Access”. This will make it so that users do not enroll until you add them into the Duo Admin Panel.

Hope this helps and let us know if you have any other questions!

  • Colin

Thanks. This is very helpful. I do understand that all users will see the Duo SSO page- but it good to know that if “Allow Access” is set for the New User Policy, that users not enrolled in Duo can simply enter their username/password and login without the need for Duo enrollment. Appreciate the help.

Another question, we use Azure Federated Services as a SSO platform for numerous applications such as ZenDesk, Dropbox Business, etc. When we enable Duo SSO for M365 email, will SSO for all these third-party services be redirected to the Duo SSO page as well?

Hi @peter-supply,

Users of the domains you federate in M365 would redirect to Duo SSO for all logins including any SSO applications federated to M365.

One thing to note is that those applications still aren’t using Duo SSO at all, they are still tied to Azure for authentication and then Azure is redirecting to Duo SSO for authentication.

Duo SSO → Azure → Application

Thanks. That’s what I thought. Is there a way to enable Duo 2FA for the other applications using Azure SSO?