Thank you Jamie! Do you happen to have a screenshot of what the SSO login page looks like so I can send to my users?

The page will look like this: Duo Single Sign-On - Guide to Two-Factor Authentication · Duo Security

I’d recommend enabling Duo Central which will let you see what the login experience will look like and also can act as a hub for users to be able to get to all their applications.

Perfect. Thank you again for your help Jamie! I will definitely take a look at Duo Central.

So close to having this deployed. I have the 365 application setup, I’ve tested through the authentication proxy using authproxy_connectivity_tool.exe, and I’ve downloaded the Powershell script I need to federate my domain. I can’t seem to find documentation outlining the requirements to allow self service password resets for my users though. Is there anything I need to setup for them to have that ability?

The setting is configurable on the Active Directory authentication page. Just to note that Duo SSO only supports expired password reset so a user won’t be able to initiate a reset early but will be prompted once their password has expired.

You can see the user experience here.

Awesome. According to those requirements I should be good to go. Will my users still be able to change their passwords via the Office 365 portal?

I believe that if you already have configured the Azure AD connector to handle password write backs that will still be an option but they’d need to be logged into Microsoft 365 already to see it.

I think users, in that case, might see two different scenarios:

1. Their password is expired and they haven’t got a valid session with M365 so they would go through the Duo SSO password reset prompts.
2. Their password is not expired, they logged into M365 and do a self service password reset through Microsoft.

That’s how I had imagined it working. I’ll know for sure when I complete our Duo deployment tonight. I appreciate all of your help Jamie!!