Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1878
Views
2
Helpful
4
Replies

Exchange Hybrid and Duo for ADFS

Go to solution
Deckard99
Level 1
Level 1

‎02-08-2021 09:02 AM

Hi,

we’re using Cisco Duo within our ADFS Farm (Windows 2019). We’re federating with O365 and requiring MFA for external Access. As long as a usermailbox is located on on-prem Exchange there’s no problem. If the user has a cloud mailbox Outlook keeps asking for password on profile/account generation. I’ve read through this artikel here: Knowledge Base | Duo Security but even if I configure the mentioned additional authentication rule " Example custom rule to globally disable 2FA on ActiveSync and Autodiscover endpoints while requiring 2FA for all other connection types" it won’t work. As soon as I disable MFA for external access the Outlook profile generation works as expected. Using Outlook 2013 or Outlook 2016 doesn’t make a difference.
Anyone here who has solved this?

Regards

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Deckard99
Level 1
Level 1
In response to Deckard99

‎02-22-2021 05:51 AM

Hi,

after taking some time for evaluating my environment regarding O365 and Duo an ADFS I think I found the culprit.

I had modified the Access Control Policy on the O365 Relying trust party which effectively prohibited the use of additional authentication rules. After cleaning up my mess, I was able to find a functional way to achive the desired goal.

I used the following aar
exists([Type == “http://schemas.microsoft.com/ws/2012/01/in■■■■■■■■■■■■■■■■■■■■”, Value == “false”])
&& NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value =~ “Microsoft.Exchange.ActiveSync|Microsoft.Exchange.Autodiscover”])
=> issue(Type = “http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod”, Value = “http://schemas.microsoft.com/claims/multipleauthn”);
Taken from https://www.michev.info/Blog/Post/1393/ad-fs-and-mfa-configuring-multiple-additional-authentication-rules

Actually that is nearly identically to

https://help.duo.com/s/article/3174?language=en_US

Probably in this duo help article the “correct wording” should be additional authentication rules instead of advanced authentication rules.

If somebody tries to use the solution please consider the html formating, which will not help with adfs powershell.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
BabbittJE
Level 1
Level 1

‎02-09-2021 11:14 AM

I’ve had this problem, too. I had to use this fix: Knowledge Base | Duo Security

Let us know if that resolves your issue. Good luck!

Go to solution
Amy2
Level 5
Level 5
In response to BabbittJE

‎02-11-2021 12:08 PM

Thanks, John, for sharing that answer here! @Deckard99 - please let us know if there is anything else we can help with. We appreciate you sharing your question in the community!

0 Helpful

Go to solution
Deckard99
Level 1
Level 1

‎02-12-2021 06:00 AM

Hi John, Hi Amy,

unfortunatly that did not help. Can anyone tell, if the O365 Tenant has modern authentication activated for that to work?

Regards

0 Helpful

Go to solution
Deckard99
Level 1
Level 1
In response to Deckard99

‎02-22-2021 05:51 AM

Hi,

after taking some time for evaluating my environment regarding O365 and Duo an ADFS I think I found the culprit.

I had modified the Access Control Policy on the O365 Relying trust party which effectively prohibited the use of additional authentication rules. After cleaning up my mess, I was able to find a functional way to achive the desired goal.

I used the following aar
exists([Type == “http://schemas.microsoft.com/ws/2012/01/in■■■■■■■■■■■■■■■■■■■■”, Value == “false”])
&& NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value =~ “Microsoft.Exchange.ActiveSync|Microsoft.Exchange.Autodiscover”])
=> issue(Type = “http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod”, Value = “http://schemas.microsoft.com/claims/multipleauthn”);
Taken from https://www.michev.info/Blog/Post/1393/ad-fs-and-mfa-configuring-multiple-additional-authentication-rules

Actually that is nearly identically to

https://help.duo.com/s/article/3174?language=en_US

Probably in this duo help article the “correct wording” should be additional authentication rules instead of advanced authentication rules.

If somebody tries to use the solution please consider the html formating, which will not help with adfs powershell.

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents