The setup for Duo application to integrate with Microsoft Azure AD is fairly striaght forward.
I have an application that uses SAML to authenticate the user with Azure directory. A conditional rule is then used to trigger Duo 2FA. Then in my Duo portal I have a policy for the Microsoft Azure AD application which does not require trusted device, and allows SMS. Despite this, on mobile devices it ALWAYS asks the user to verify they have Duo mobile installed (or prompts for a local certificate if they happen to have one), despite that trusted device isn’t reqiured. The user can click the “I do not have Duo Mobile” and it lets them in. Therefore, the check is trivial / theatrical. Also, the SMS option does not show up.
Is this behavior typical? Is it a bug? Or is there something in the JSON file for custom control that is saved on the Azure end which needs to be changed to support this?
Sadly, the only fix is to disable Duo Mobile as a trusted endpoint configuration (as well as delete the local cert if you have one on your mobile device). Only then will the 2FA prompt come up offering the user a choice to push or code (still no SMS). This really feels like a serious BUG to me…