Microsoft AD Connect + Duo SSO Federation

Hi,

I’m looking to federate Duo SSO w/ our Microsoft Azure tenant. Currently we are using Azure AD Connect w/ Pass-through Authentication w/ password write-back enabled. This allows us to use the self-service password reset (SSPR) feature.

My question - is password write-back/SSPR compatible w/ Duo SSO Federation?

From Microsoft AD Connect documentation:

Password write-back is supported in environments that use the following hybrid identity models:

  • Password hash synchronization
  • Pass-through authentication
  • Active Directory Federation Services

There’s no mention of a 3rd party federation provider (e.g. Duo)

Thanks,

Steve

Hi @SteveA ,

At this time, Microsoft does not support any third party authentication or MFA methods for Azure’s Self-Service Password Reset tool.

Please feel free to submit a Feature Request via your Account Executive, Customer Success Manager (if applicable), or our Support Team.

We also encourage customers to submit a feature request through Microsoft for this feature.

Article: Can Duo protect Microsoft Azure’s Self Service Password Recovery portal?

Thank you!

Hi DuoPablo,

Thank you for your reply but you didn’t really answer my question - said another way, changing Azure AD Connect User Sign-In settings to “Do not configure” as per Duo’s guide to federate Duo SSO w/ Microsoft, can users still use the self-service password reset (SSPR) feature?

Thanks in advance,

Steve

Hi @SteveA, I believe the answer to your question is no, but @DuoPablo will know for sure. It seems like you might be able to get around this by enabling password hash synchronization using the help article linked here.

Hi Amy,

Thanks for the info. Are you able to confirm “you might be able to get around this by enabling password hash synchronization”? It’s one of those things that I need a solid answer to before I start making changes to our AD Connect settings, etc.

Thanks in advance,

Steve

Hi Steve, Checking with the team to confirm now. Will be in touch soon.

Update: I was mistaken, my apologies. SSPR will not work because Microsoft does not support SSPR workflows for third-party MFA providers. Password hash sync will still happen, but users who exist in federated domains would logging in and validating their passwords via their AD and not Azure (even if Azure has the password for the user).
For the password write back, that will not work because your end-users will never update their passwords via Azure since they are in a federated domain. In other words, they’d be directed through Duo SSO first, and would not be able to update their password from there.

I’ll see if I can add you to the feature request for this, but I also recommend you contact Microsoft about this and express your interest to them as well, since it’s ultimately a change they control, as DuoPablo said previously in this thread.