Outlook - Duo auth not needed?

Schmoo · ‎01-31-2020

I have rolled out Duo to about 40 users so for and all have completed the Duo enrollment.
When offsite, I expected them to have to go through the Duo authentication when using Outlook. This appears not to be the case. OWA goes through the Duo authentication process but using the full Outlook client, which was previously setup, there is not Duo requirement.

Is this because Outlook was previously setup? (O365 Outlook, current version)

On a probably related note, the Authentication Log doesn’t show any accesses at all - just the new enrollment messages. I would expect it to show something when using Outlook even on a previously configured device.

Anyone?

DuoKristina · ‎01-31-2020

Take a look at the blue “Important” callout in the Office 365 documentation here.

If users had a preexisting Office 365 Outlook profile before federating with the Duo Access Gateway they might not be able to log in with modern authentication after federation and may then need to delete the existing Office 365 client credentials in order to log in with Modern Authentication.

Also, these articles from the Duo Knowledge Base should help:

Why is my Outlook client not showing a 2FA prompt when Office 365 is protected by Duo?

How often will rich and mobile clients such as Outlook, Skype for Business and iOS Mail prompt for authentication with Office 365?

Duo, not DUO.

Schmoo · ‎02-01-2020

Thanks for the response.

I really just need answers to a couple of questions. Believe me, I’ve read all the documentation which doesn’t answer my questions or I don’t understand what I’m reading.

Users were recently enrolled in Duo. When using Outlook (desktop client) that was setup previous to their Duo enrollment, they are not prompted to authorize with Duo. Is this expected behavior? What if the user’s Exchange account was compromised before we started using Duo? It seems once Duo is enabled for them, all devices accessing Exchange should have to go through the Duo authorization process.

On a similar note, the only entries in the Authentication Log are initial enrollments and authorizations done when accessing OWA or new Outlook 365 installs. Is this expected behavior?

DuoKristina · ‎02-04-2020

It is expected that users who previously configured their Outlook profiles before you deployed Duo might not see the 2FA prompt, as noted in the quote from our Office 365 instructions. Recreating the mail profile in Outlook or clearing out the cached credential for Office 365 usually fixes that.
Duo’s authentication logs can only show when the login process actually contacts our service. In the case of users with pre-existing Outlook profiles, Office 365 is not directing the client to perform that external authentication step. Office 365 clients use their access and refresh tokens to determine if reauthentication is needed. If the tokens are still valid and no reauthentication is required, then no login requests will actually reach Duo’s service.

The Azure/Office 365 tokens are discussed in depth in the “How often will rich and mobile clients such as Outlook, Skype for Business and iOS Mail prompt for authentication with Office 365?” article. Duo can only respond to authentication requests that reach our service. If the service declines to send the login request to Duo, as Azure might if a given Office 365 client still has a valid access/refresh token (even if the initial login did require Duo MFA), there won’t be any activity logged on Duo’s side.

I hope that answered your questions.

Duo, not DUO.