cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3116
Views
1
Helpful
9
Replies

Microsoft partner center

WayneC1
Level 1
Level 1

Anyone else seeing issues when going to manage their customers in office 365, getting prompted for Microsoft MFA?

We have been using Duo for years, but starting about a month ago we now get prompted for Microsoft MFA when going through the partner center to manage a customer’s o365 tenant.

Microsoft thinks the requests getting approved by duo are not getting encoded showing that an MFA prompt was met. They also seem to think this specific behavior is only happening to duo partners.

9 Replies 9

DuoKristina
Cisco Employee
Cisco Employee

It sounds like this is due to the changes in Microsoft Partner CSP requirements. Please contact Duo Support for assistance with this.

Duo, not DUO.

Yes, it totally is, but neither Microsoft support nor Duo support has been able to identify the cause.

When you contacted Microsoft did they recommend you request a technical exception as described here: https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-mandating-mfa#how-to-submit-a-request-for-technical-exception? ETA Duo Support also should have been able to review this with you as well.

Duo, not DUO.

WayneC1
Level 1
Level 1

Yes, and we have been approved for the exception, but the Prompt still happens.

the only way I have been able to avoid the specific prompt when moving from partner portal into the client’s tenant is to switch to Microsoft MFA and have it prompt me at login to the o365 admin or partner portal upon first login.

lthomas
Level 1
Level 1

@WayneC any update on this? We’re seeing this as well.

a1ex1
Level 1
Level 1

We’ve got exactly the same issue

lthomas
Level 1
Level 1

We’ve battled this for a while now. It’s still present. Any further updates on this?

Amy2
Level 5
Level 5

Hi folks, the latest update hasn’t changed much from the information Kristina shared earlier in this thread. This is related to changes with the Microsoft Partner Portal security requirements. We have been working toward resolving this on our end. As this Microsoft Authenticator prompt is entirely a Microsoft controlled function, we recommend reaching out to Microsoft Support to confirm that this is, in fact, the result of the security requirements noted above, and perhaps they can provide some insight as to what must be changed to meet their third-party MFA requirements.

NAHammack
Level 1
Level 1

Hi all, we’ve come across the same issue and did a little digging to (a) confirm that this isn’t a security concern in terms of bypassing Duo protections on our user accounts and (b) try and determine what appears to be the underlying cause.

First, I’ve confirmed that a user who does not have the classic methods of MFA configured (Authenticator app, 3rd party TOTP, SMS, call, et. al.) does not have a password-only method of signing in (i.e. directly to the Partner Portal) - the thought being that an attacker could exploit this to enroll their own device for MFA and effectively gain access as the user. I’d like to think Duo had already considered this potential method of attack, but since it wasn’t addressed above, I felt the need to manually confirm this - I still recommend others do so for posterity.

The thought process was that if the Partner Portal is requiring this method of MFA, was the Duo method being effectively bypassed - turns out that the initial authentication still requires Duo MFA to be performed (assuming your CA policies are set up in such a way), then a new authentication attempt will take place with the classic MFA requirement. Users without MFA configured will be prompted to set it up as normal - so until this is resolved I recommend having a process in place and properly configuring accepted MFA methods via the Azure AD controls to match your user expectation (e.g. disabling SMS/phone.)

I haven’t dug too deeply into the technical aspects of what’s going on, but it seems to come down to the manner in which Duo is reporting the authentication to Microsoft (or, perhaps, the manner in which Microsoft is absorbing the JWT from Duo - again, not much digging was done.)

In the sign-in logs, Duo authentication fails to be acknowledged by Microsoft as a “Multi-factor authentication” sign-in event under the Authentication requirement field, so this appears to be the crux of the issue. Since the issue is between the communication between Azure AD & Duo, there is nothing (as far as I have been able to determine) us as tenant administrators can do to resolve the issue.

For now, we’re advising that this is an annoyance and inconvenience that has apparently been under investigation by Duo for some time now. Hopefully they’ll consider their MSP partners important enough to resolve this issue with some level of expediency…

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links