DUO SSO for O365 / ADFS setup

PFelten · ‎08-16-2022

Hey folks, So I am setting up DUO SSO for the first time. The goal is to get an MFA prompt when users log into Office.com. ADFS is NOT setup on my Windows 2016 Server, but Azure AD Connect is already setup and configured. Do I need to re-configure Azure AD Connect for ADFS or just install ADFS from Add Roles / Features and go from there? I am a bit confused by the DUO SSO documentation. It instructs from the perspective that Azure AD Connect has not been set yet.

DuoKristina · ‎08-17-2022

What do you actually want to use as the federated identity provider, Duo SSO or AD FS? If you are using Duo SSO you would not need to set up federation with AD FS in AAD Connect at all, and nowhere in the instructions does it suggest that.

If you already set up synchronization you might need to adjust it to use mS-DS-ConsistencyGuid as the source anchor attribute if it isn’t already configured that way (as mentioned in the Prepare your Microsoft Tenant for Federation section of the Duo SSO for M365 documentation. Also ensure you have met the custom domain requirement.

Then proceed with converting your custom domain from managed to federated per the rest of the Duo SSO for M365 instructions.

Duo, not DUO.

PFelten · ‎08-18-2022

Thanks DouKristina. Ah, maybe that is where I got confused. I thought Microsoft ADFS needed to be setup for DUO single sign-on to work. It sounds like DUO can take on that responsibility all by itself. Is that correct?

Concerning the domain in O365, when I try to “federate” it using the Power Shell script I download from the DUO web site, I keep getting an error saying the domain can not be federated because the primary domain can not be de-federated and re-federated. I can’t seem to find any DUO documentation that addresses this problem. That is why I assumed MS ADFS needed to be installed.

DuoKristina · ‎08-19-2022

AD FS is an identity provider for SSO which can be federated with a custom domain in Azure/M365.

Duo Single Sign-on is also an identity provider for SSO which can be federated with a custom domain in Azure/M365.

Federated sign-in redirects a user from the Microsoft login page out to the configured identity provider (Duo SSO, or AD FS, or any of a number of compatible identity providers), where the user signs in and gets redirected back to Microsoft when done.

It isn’t possible to federate a default/primary Microsoft domain. That is what this section of the documentation is talking about:

In order to federate your Microsoft 365 tenant with an external identity provider (like Duo Single Sign-On) you must have added a custom domain to Microsoft 365. You cannot federate your “onmicrosoft.com” domain. Additionally, the custom domain you have added to Microsoft 365 cannot be set as the default domain.

Additional references from Duo sources:

In the Microsoft 365 SSO doc where it says “You can federate each domain inside of your Microsoft 365 tenant except for your default domain and your “onmicrosoft.com” domain.”
What do I do if I encounter the Powershell error “You cannot change the initial domain created for you in Office 365.” when converting Office 365 domain to Federated Authentication?
Why do I receive an error about the “default domain” when I try to enable federated authentication on my Office 365 tenant?

Here is the Domains FAQ from Microsoft.

Duo, not DUO.

PFelten · ‎08-22-2022

Hello… I looked at the links, but I don’t think they answer my question. Your message and the links seem to assume that I am trying to Federate an “onmicrosoft.com” domain. This is not the case. The domain my customers have is an actual .COM domain you purchase through GoDaddy or Network Solutions and it is setup in Microsoft Office 365 as the default / main domain. When I run the .PS1 or DUO Security M365 federation script, generated by the DUO portal for the customer, everything seems to go fine until the 4th or last step when it try’s to federate the domain name. I get the following error…

“Domain federation failed - You cannot remove this domain as the default domain without replacing it with another default domain. Use the the Set-MsolDomain cmdlet to set another domain as the default domain before you delete this domain.”

Hopefully this makes sense? The default or main domain that I am trying to federate in O365 is not an “onmicrosoft.com” domain. Rather it appears the DUO script is trying to de-federate, then re-federate the customers .COM domain name and fails during this process for some reason.

DuoKristina · ‎08-24-2022

You said:

Your message and the links seem to assume that I am trying to Federate an “onmicrosoft.com” domain. This is not the case. The domain my customers have is an actual .COM domain you purchase through GoDaddy or Network Solutions and it is setup in Microsoft Office 365 as the default / main domain.

I do understand this scenario and the doc states:

Additionally, the custom domain you have added to Microsoft 365 cannot be set as the default domain.

Both of these conditions are true per Microsoft:

You cannot federate the onmicrosoft.com domain.
You cannot federate a custom domain that is set as the default domain.

What you can do to proceed is to set the onmicrosoft.com domain back as the default domain. Then you will be able to complete the federation steps for the custom domain.

Another community user recently had the same question and was able to proceed after ensuring that the custom domain they wanted to federate was not set to be the default domain in M365.

Duo, not DUO.

PFelten · ‎08-24-2022

OK, I understand. Change the onmicrosoft.com back to the default domain and then run the DUO federation script for the custom .COM domain. Once the DUO script is done and the custom .COM domain is federated, then I can change the custom .COM domain back to primary in Office 365.

Thank you very much for your help. I really appreciate it DuoKristina!