OWA MFA only for External users

We have users that access our Exchange 2013 server over OWA from both inside and outside our network. We would like to implement DUO MFA ONLY for users accessing OWA from the internet. We do not want our internal users to be prompted for MFA. Is this possible?

Yes, you can accomplish this via an Authorized Networks policy.

Looks like we need the premium DUO service for this. I am trying to get approval to upgrade. Would we be able to apply that just to certain protected applications? There are internal things we want protected by MFA also

Yes, you can apply an application-level or global authorized networks policy with Duo MFA (the least-expensive paid edition). You can learn more about our editions here: Pricing | Duo Security

Doesn’t seem to work for us, added the NAT’d network IP for the Server as that seems to be the source in the log files, but it is still prompting the user. Will reach out to suport

@StealthNet

You wouldn’t add the Exchange server’s IP to the authorized networks policy to bypass. You would add the client IPs. This may be the NATed address.

Example:

  • Your internal network is 10.1.0.0/16
  • Your external IP is 1.2.3.4

When the web clients from within your office network access Duo, the IP address reported to Duo is likely the external one (as we record the IP address of the system that displays the Duo prompt as the client IP).

So if you add 1.2.3.4 as the network that doesn’t require 2FA, any web client that comes from that address bypasses Duo auth while client access from any other IP would not.

Even if we add the nat address it doesn’t work, still prompts

Robert James
President

Stealth Network Services Inc.** **

403-281-8701, Ext. 201 | 207, 4954 Richard Road SW | Calgary, AB | T3E 6L1

Do you have other authentication policies defined that may be overriding the authorized networks setting? Like, if you set the User Location policy to require 2FA for your location, that supersedes Authorized Networks bypass for any network identified as being in that location.

Please contact Duo Support for 1:1 troubleshooting. We can’t review your unique setup to the degree that would be needed here in this public discussion forum.

Yes this is what it was, the User location was overriding the Allowed networks. I wish there is a document that would highlight preference order, as we would like to have both options as well as country all at the same time.

Thanks for the suggestion. We can try to get more clarifying information available.