After completing all steps in this guide Duo Protection for Microsoft 365 with Duo Access Gateway | Duo Security. Everything seemed to be working the prompts for MFA are work for devices located internally on the network. However any attempt to sign in outside of the network do not work. The redirection attempts t reach the https://yourserver.example.com/dag/saml2/idp/SSOService.php but never makes it.

Ive double checked all the routing information in regards to allowing outside traffic to the server.

Hi @zgruver, is there an error message shown when this happens, and if so, what does it say? Have you enabled debug logging for Duo Access Gateway (instructions on how to do this here)? We have a guide on how to interpret and troubleshoot DAG debug logs that is useful for understanding what is shown there. From what you’ve shared here, I am having trouble finding any documents or similar cases that would help.

You might be better off contacting Duo Support for help troubleshooting this. Be sure to include your debug logs if you do!

Hi @zgruver,

In addition to sending those logs over to Duo Support, I would recommend taking a look at our Microsoft 365 integration using Duo-hosted SSO!

We released this integration last summer after closely working with Microsoft to ensure that we built it according to their best practices. This means that we leverage WS-Fed and WS-Trust instead of just SAML for authentication. This allows us to fully support the many session types and other Microsoft features as they make changes to them.

On top of that all, it allows you to take advantage of the many other Duo SSO features, such as end-user expired password resets and our Passwordless SSO on top of just removing the need for the on-prem web server.

Sorry for the late reply turns out I just was not patient enough to wait for the DNS to propagate throughout the outside networks. After waiting a while it worked just fine.