O365 with Duo SSO - Duo SSO prompt

Hi Duo community,

I’m working on configuring Office 365 with Duo SSO by following document Knowledge Base | Duo Security

My goal is to protect O365 only to specified group user. So, others users will not experencing the DUO prompt.

I’m not sure the login workflow after O365 integrated with Duo. If I specified the group user to be enforced in DUO. The Duo SSO prompt will be displayed only to user in the group? Or Duo SSO prompt will be displayed to all domain users after enterd their email?

Thank you

Hi @Tutchapon_Sirisaeng,

It is possible to limit which users are prompted for Duo 2FA by using Policy settings on the application page you can add application specific or group specific policies. One thing to note is that all users will be federated to Duo SSO and get the primary page login experience for the domains you choose to federate in Office 365.

@Tutchapon_Sirisaeng I’m in the same boat trying to set this up the first time.

@jamie Can you expand on the primary page login experience you mentioned? Will users still be prompted with the DUO login page? What if I whitelist our main public IP would it still prompt?

I have a policy set to only apply to my “IT Group” with my user in it so it would only effect me for testing… assuming I have all settings set right no one should be the wiser, but it should only prompt me?

1 Like

Hey @IT_Mike,

Once you’ve federated a domain in Office 365, all users of that domain will be required to authenticate using the SAML identity provider you provided, so all users would see the first-factor login page on the left-hand side of this picture.

You can apply policies like you mentioned above that will make it so that only certain users will be required to complete 2FA (the image on the right-hand side). While all other users will just pass right though after they’ve completed first factor.


Hi @jamie quick question about that. If I have users that are unenrolled and are not yet in the DUO portal, would they be denied logging in to Office 365 after the domain has been federated?

Hi @Kurt,

This would depend on your New User Policy. You can set it to either allow unenrolled users to pass, require they enroll, or deny them access.

Thanks @jamie just wanted to be confident that when I federate the domain, users who are unenrolled will still be able to access Office365 and authenticate past the first factor you posted above