Office 365 Logins with AD Conditional Access

Hi… I’m trying to require Duo for Office 365 logins using DUO Active Directory conditional access. We have a couple of administrators that this seems to work for already.

If I add a new user to the CA group in Azure Active Directory, their o365 logins redirect to our DUO authentication, but then they seem to be bypassed… they get right in to o365 without a DUO request. I keep thinking there must be some additional step that I’m missing, but I’m not sure what it is. These are enrolled users; successfully using DUO with our VPN, we just want to secure logins from their personal devices when they are using a web page, for applications like OWA.

Suggestions?

That behavior sounds like they have the “Remember me for x days” option selected. Do you know if that is the case?

Can’t be….I don’t think, since the person never gets to a web page. — L

Oh ok - lets just clarify this real quick to make sure we’re not missing something. You said that the user’s login will:

“redirect to our DUO authentication, but then they seem to be bypassed”

If they did have that box checked, you’d briefly see the browser navigate to the Duo page first before continuing on to 365. Do you see that? Even if it continues on to 365?

Yes, indeed, that is exactly what happens. — L

Did you look at the authentication logs in Duo to see if those bypassed authentications are present? The details for the logins may give you a hint as to why they seem to be bypassed, like are they logging into something else first with Duo and checking the remembered device option, or is there a policy allowing bypass attached to the Azure CA application, etc.

Hi, thanks for the reply. The authentication attempts don’t appear in either the DUO log, or the authproxy log. I should think that the authentication sequence seems to be:

  1. Attempt to log in from the web to Outlook Web Access (for example)
  2. Login goes to Azure-AD, which sees that the user is identified for “conditional access”.
  3. Azure-AD passes the request to the DUO cloud service. (seen in the redirect of the web address )
  4. at this point…I should think I’d see a validation request to my phone, or a request going to the LDAP proxy and then to the phone… but nothing happens… I just get into the OWA account. Since there is no phone request, there is no entry in the DUO Admin log.

Have you tried having one of these users login via a private browsing window as a way to “start fresh”? Perhaps there’s cached authentication that’s causing it to pass through.

Thanks secuadmin11!

Yep… different machines, private windows… different users… off the VPN… I just keep thinking there is another piece of the configuration puzzle that has to happen.

So, the Authentication Proxy is completely uninvolved in the Azure CA authentication. It does not use LDAP at all and does not send any part of the authentication to whatever on-premises Duo software you may have. The Duo Conditional Access control is entirely cloud to cloud (Login to Azure, redirect to Duo, redirect back to Azure). Nothing will ever get logged at the proxy for Azure CA auths, so forget it exists for the purposes of troubleshooting here.

You should see the interactive Duo prompt after you log in to Azure, where you would select a factor. If Duo determines that the user can bypass 2FA due to user status or policy, then you should see a brief “Logging you in” status in lieu of the Duo prompt.

Do you see neither of those?

If you do see the “Logging you in” message then definitely there should be an event logged and visible in the Duo Admin Panel under Reports > Authentication Log.

If there is no Duo Prompt in the browser and no Authentication Log event, I think you should contact Duo support as there some additional troubleshooting steps a support engineer can go over with you individually that would be difficult to replicate via a public forum (as you definitely should not post your Duo or Microsoft account information or user details here).

Don’t DM me; I am not Support. :slight_smile:

Thanks DuoKristina…that is very helpful.