Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1534
Views
3
Helpful
6
Replies

O365 with Duo SSO - Duo SSO prompt

Tutchapon_Sirisaeng
Level 1
Level 1

‎05-21-2021 01:41 AM

Hi Duo community,

I’m working on configuring Office 365 with Duo SSO by following document Knowledge Base | Duo Security

My goal is to protect O365 only to specified group user. So, others users will not experencing the DUO prompt.

I’m not sure the login workflow after O365 integrated with Duo. If I specified the group user to be enforced in DUO. The Duo SSO prompt will be displayed only to user in the group? Or Duo SSO prompt will be displayed to all domain users after enterd their email?

Thank you

Labels:
0 Helpful
6 Replies 6

jamieis
Cisco Employee
Cisco Employee

‎05-21-2021 06:11 AM

Hi @Tutchapon_Sirisaeng,

It is possible to limit which users are prompted for Duo 2FA by using Policy settings on the application page you can add application specific or group specific policies. One thing to note is that all users will be federated to Duo SSO and get the primary page login experience for the domains you choose to federate in Office 365.

0 Helpful

IT_Mike
Level 1
Level 1

‎05-21-2021 06:59 AM

@Tutchapon_Sirisaeng I’m in the same boat trying to set this up the first time.

@jamie Can you expand on the primary page login experience you mentioned? Will users still be prompted with the DUO login page? What if I whitelist our main public IP would it still prompt?

I have a policy set to only apply to my “IT Group” with my user in it so it would only effect me for testing… assuming I have all settings set right no one should be the wiser, but it should only prompt me?

jamieis
Cisco Employee
Cisco Employee
In response to IT_Mike

‎05-21-2021 07:17 AM

Hey @IT_Mike,

2X_9_9db498ae8ba388eb66ec63f52c4a5aec1ea2c470.png

Once you’ve federated a domain in Office 365, all users of that domain will be required to authenticate using the SAML identity provider you provided, so all users would see the first-factor login page on the left-hand side of this picture.

You can apply policies like you mentioned above that will make it so that only certain users will be required to complete 2FA (the image on the right-hand side). While all other users will just pass right though after they’ve completed first factor.

khudson1
Level 1
Level 1
In response to jamieis

‎08-26-2021 01:15 PM

Hi @jamie quick question about that. If I have users that are unenrolled and are not yet in the DUO portal, would they be denied logging in to Office 365 after the domain has been federated?

0 Helpful

jamieis
Cisco Employee
Cisco Employee
In response to khudson1

‎08-27-2021 05:14 AM

Hi @Kurt,

This would depend on your New User Policy. You can set it to either allow unenrolled users to pass, require they enroll, or deny them access.

0 Helpful

khudson1
Level 1
Level 1

‎08-27-2021 05:34 AM

Thanks @jamie just wanted to be confident that when I federate the domain, users who are unenrolled will still be able to access Office365 and authenticate past the first factor you posted above

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents