Office 365 - Will my users be able to login after federating the domain?

All of my users are synced to my Duo portal from Azure AD and all of them have enrolled their mobile devices. I’ve setup an authentication proxy and have my default domain ready to go in my tenant. My next steps are to federate my domain then add the Office 365 application in the Duo admin panel. Will my users lose the ability to login after I federate my domain? I assume they won’t start using Duo for authentication until I get the application setup in the Duo admin panel?

The majority of my users have Outlook installed and we see the Office 365 prompt to login. When we do cutover to Duo for authentication will we start to see a Duo prompt rather than a 365 prompt?

Hi @opsteam,

If you’re following our instructions for Microsoft 365 with Duo SSO you should be instructed to create the Duo Admin Panel application first and then download a PowerShell script that will help you through the federation.

Once your domain is federated when asked to authenticate users will be prompted and shown the Duo SSO login page instead of the Microsoft login page.

2 Likes

Thank you Jamie! Do you happen to have a screenshot of what the SSO login page looks like so I can send to my users?

1 Like

The page will look like this: Duo Single Sign-On - Guide to Two-Factor Authentication · Duo Security

I’d recommend enabling Duo Central which will let you see what the login experience will look like and also can act as a hub for users to be able to get to all their applications.

2 Likes

Perfect. Thank you again for your help Jamie! I will definitely take a look at Duo Central.

1 Like

So close to having this deployed. I have the 365 application setup, I’ve tested through the authentication proxy using authproxy_connectivity_tool.exe, and I’ve downloaded the Powershell script I need to federate my domain. I can’t seem to find documentation outlining the requirements to allow self service password resets for my users though. Is there anything I need to setup for them to have that ability?

The setting is configurable on the Active Directory authentication page. Just to note that Duo SSO only supports expired password reset so a user won’t be able to initiate a reset early but will be prompted once their password has expired.

You can see the user experience here.

1 Like

Awesome. According to those requirements I should be good to go. Will my users still be able to change their passwords via the Office 365 portal?

I believe that if you already have configured the Azure AD connector to handle password write backs that will still be an option but they’d need to be logged into Microsoft 365 already to see it.

I think users, in that case, might see two different scenarios:

  1. Their password is expired and they haven’t got a valid session with M365 so they would go through the Duo SSO password reset prompts.
  2. Their password is not expired, they logged into M365 and do a self service password reset through Microsoft.
1 Like

That’s how I had imagined it working. I’ll know for sure when I complete our Duo deployment tonight. I appreciate all of your help Jamie!!