Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1505
Views
0
Helpful
5
Replies

Microsoft AD Connect + Duo SSO Federation

Not applicable

‎07-26-2021 11:45 AM

Hi,

I’m looking to federate Duo SSO w/ our Microsoft Azure tenant. Currently we are using Azure AD Connect w/ Pass-through Authentication w/ password write-back enabled. This allows us to use the self-service password reset (SSPR) feature.

My question - is password write-back/SSPR compatible w/ Duo SSO Federation?

From Microsoft AD Connect documentation:

Password write-back is supported in environments that use the following hybrid identity models:

  • Password hash synchronization
  • Pass-through authentication
  • Active Directory Federation Services

There’s no mention of a 3rd party federation provider (e.g. Duo)

Thanks,

Steve

Labels:
0 Helpful
5 Replies 5

DuoPablo
Cisco Employee
Cisco Employee

‎08-09-2021 02:37 PM

Hi @SteveA ,

At this time, Microsoft does not support any third party authentication or MFA methods for Azure’s Self-Service Password Reset tool.

Please feel free to submit a Feature Request via your Account Executive, Customer Success Manager (if applicable), or our Support Team.

We also encourage customers to submit a feature request through Microsoft for this feature.

Article: Can Duo protect Microsoft Azure’s Self Service Password Recovery portal?

Thank you!

0 Helpful

Not applicable

‎08-10-2021 04:39 AM

Hi DuoPablo,

Thank you for your reply but you didn’t really answer my question - said another way, changing Azure AD Connect User Sign-In settings to “Do not configure” as per Duo’s guide to federate Duo SSO w/ Microsoft, can users still use the self-service password reset (SSPR) feature?

Thanks in advance,

Steve

0 Helpful

Amy2
Level 5
Level 5
In response to

‎08-10-2021 09:44 AM

Hi @SteveA, I believe the answer to your question is no, but @DuoPablo will know for sure. It seems like you might be able to get around this by enabling password hash synchronization using the help article linked here.

0 Helpful

Not applicable
In response to Amy2

‎08-18-2021 04:19 AM

Hi Amy,

Thanks for the info. Are you able to confirm “you might be able to get around this by enabling password hash synchronization”? It’s one of those things that I need a solid answer to before I start making changes to our AD Connect settings, etc.

Thanks in advance,

Steve

0 Helpful

Amy2
Level 5
Level 5
In response to

‎08-18-2021 06:02 AM

Hi Steve, Checking with the team to confirm now. Will be in touch soon.

Update: I was mistaken, my apologies. SSPR will not work because Microsoft does not support SSPR workflows for third-party MFA providers. Password hash sync will still happen, but users who exist in federated domains would logging in and validating their passwords via their AD and not Azure (even if Azure has the password for the user).
For the password write back, that will not work because your end-users will never update their passwords via Azure since they are in a federated domain. In other words, they’d be directed through Duo SSO first, and would not be able to update their password from there.

I’ll see if I can add you to the feature request for this, but I also recommend you contact Microsoft about this and express your interest to them as well, since it’s ultimately a change they control, as DuoPablo said previously in this thread.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents