Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1584
Views
0
Helpful
5
Replies

Duo Single Sign On with O365/M365: Bypass for unenrolled Duo users?

peter-supply
Level 1
Level 1

‎07-07-2022 11:12 AM

I have a question regarding Duo Single Sign On for O/M365: Duo Single Sign-On for Microsoft 365 | Duo Security. We have around 300 users in O/M365. All users are on a single, custom domain. We currently only have 20 users onboarded in Duo. If we enable Duo Single Sign On for O/M365, will users who are not onboarded in Duo be able to bypass 2FA/enrollment and just sign in without 2FA? The reason I ask is that we would like to enable Duo Single Sign On for just the users who are onboarded in Duo. So we’re not sure what happens to a user who is not onboarded/enrolled in Duo when Duo Single Sign On is enabled. Thanks.

Labels:
0 Helpful
5 Replies 5

colin_medfisch
Cisco Employee
Cisco Employee

‎07-07-2022 11:28 AM

Hi @peter-supply,

When you federate M365 to a third-party IdP, it is all-or-nothing for that particular domain. This means that all users will see the Duo SSO username/password flow.

You can however allow users to bypass enrollment and MFA by setting the New User Policy to “Allow Access”. This will make it so that users do not enroll until you add them into the Duo Admin Panel.

Hope this helps and let us know if you have any other questions!

  • Colin
0 Helpful

peter-supply
Level 1
Level 1
In response to colin_medfisch

‎07-07-2022 11:41 AM

Thanks. This is very helpful. I do understand that all users will see the Duo SSO page- but it good to know that if “Allow Access” is set for the New User Policy, that users not enrolled in Duo can simply enter their username/password and login without the need for Duo enrollment. Appreciate the help.

0 Helpful

peter-supply
Level 1
Level 1

‎07-11-2022 04:05 AM

Another question, we use Azure Federated Services as a SSO platform for numerous applications such as ZenDesk, Dropbox Business, etc. When we enable Duo SSO for M365 email, will SSO for all these third-party services be redirected to the Duo SSO page as well?

0 Helpful

jamieis
Cisco Employee
Cisco Employee
In response to peter-supply

‎07-11-2022 06:15 AM

Hi @peter-supply,

Users of the domains you federate in M365 would redirect to Duo SSO for all logins including any SSO applications federated to M365.

One thing to note is that those applications still aren’t using Duo SSO at all, they are still tied to Azure for authentication and then Azure is redirecting to Duo SSO for authentication.

Duo SSO → Azure → Application

0 Helpful

peter-supply
Level 1
Level 1
In response to jamieis

‎07-11-2022 02:22 PM

Thanks. That’s what I thought. Is there a way to enable Duo 2FA for the other applications using Azure SSO?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents