Microsoft Azure AD + Conditional Access + Duo Policies Fail

john.lockie · ‎08-09-2018

The setup for Duo application to integrate with Microsoft Azure AD is fairly striaght forward.

I have an application that uses SAML to authenticate the user with Azure directory. A conditional rule is then used to trigger Duo 2FA. Then in my Duo portal I have a policy for the Microsoft Azure AD application which does not require trusted device, and allows SMS. Despite this, on mobile devices it ALWAYS asks the user to verify they have Duo mobile installed (or prompts for a local certificate if they happen to have one), despite that trusted device isn’t reqiured. The user can click the “I do not have Duo Mobile” and it lets them in. Therefore, the check is trivial / theatrical. Also, the SMS option does not show up.

Is this behavior typical? Is it a bug? Or is there something in the JSON file for custom control that is saved on the Azure end which needs to be changed to support this?

Sadly, the only fix is to disable Duo Mobile as a trusted endpoint configuration (as well as delete the local cert if you have one on your mobile device). Only then will the 2FA prompt come up offering the user a choice to push or code (still no SMS). This really feels like a serious BUG to me…

DuoKristina · ‎08-09-2018

I see you’ve also contacted Duo Support so you’ll receive a more detailed response there, but if you have any mobile management system enabled in your account then Duo will check for trusted status, as the two policy options are essentially “check but don’t require” and “require”.

With regard to the missing SMS authentication factor, it looks like you are restricting use of a few different factors in your global policy, and then you have a group policy attached to your Azure CA application that enables SMS. Ensure that you’re authenticating as a member of that specified group to pick up the settings that override the global settings.

Duo, not DUO.

john.lockie · ‎08-09-2018

Thanks for the info. Yes, hopefully support can provide some technical explanations here. When you say “any mobile management” system, what do you mean? Do you mean Trusted Endpoint Configurations?

And yes, I am authenticating from within the group that has the unique policy applied to it. One of the tests I did last night was to enable all 2FA options on the global policy to see if that was the issue, but for the Azure AD applications it still only showed the 2. So puzzling.

john.lockie · ‎08-09-2018

Also, where is the “Check but don’t require” option in the policy? I thought it was binary (on or off).

DuoKristina · ‎08-09-2018

When you say “any mobile management” system, what do you mean? Do you mean Trusted Endpoint Configurations?

Yes, exactly. The management integration objects you see when you click through to your Trusted Endpoints Configuration in the Duo Admin Panel. When a management integration gets activated, it’s effective for your whole account. You can limit whether it’s activated for all users or just or a designated group on the management integration’s details page.

So, the language in my previous comment was just me trying to rephrase the actual wording in the policy editor to clarify the effects of each choice.

The policy setting “Allow all endpoints” is effectively the same as “check but don’t require” in that Duo still tries to determine whether a device is trusted or not, but doesn’t make any access decisions based on that status.

The policy setting “Require endpoints to be trusted” is effectively “require” because untrusted devices will get blocked.

The Duo Support engineer will review your options in more detail, and can also help determine why your policy that allows SMS isn’t applying correctly.

Duo, not DUO.

john.lockie · ‎08-09-2018

Ok this makes some sense. Although I could have sworn it did not always do it this way. Seems like it only started happening in the last few weeks maybe. I hope Duo understands why this is weird (showing a deviec trust check window when it’s not being required by policy).

DuoKristina · ‎08-09-2018

It is currently being required by your policy, as both available trusted endpoints policy settings include a check.
We do understand this is weird! So your support engineer will talk to you more about that.

Duo, not DUO.

john.lockie · ‎08-09-2018

We were laughing here cause we don’t see a way to “uncheck” it. Once you click on the policy option…it’s just there.