Solved: Protect Exchange ECP but not OWA

Dave Packham · ‎08-31-2017

Is there any way to enforce DUO for Exchange admins using ECP but not enforce them for OWA use? or how to only DUO auth the admins AD group when they try to login?

DuoKristina · ‎08-31-2017

Hi dpackham!

Enforcing two-factor only for Exchange admin access to the ECP IIS site is not a supported use case for the Duo OWA application.

What is possible is to install Duo for OWA and apply a new user policy that lets unenrolled users log in without 2FA, and only enroll the Exchange admins in Duo.

Or, if you need to have all your users enrolled in Duo to protect access to other services, you could apply a group access policy that allows access without 2FA on the OWA application to a group of non-admin users.

Duo, not DUO.

View solution in original post

DuoKristina · ‎08-31-2017

Hi dpackham!

Enforcing two-factor only for Exchange admin access to the ECP IIS site is not a supported use case for the Duo OWA application.

What is possible is to install Duo for OWA and apply a new user policy that lets unenrolled users log in without 2FA, and only enroll the Exchange admins in Duo.

Or, if you need to have all your users enrolled in Duo to protect access to other services, you could apply a group access policy that allows access without 2FA on the OWA application to a group of non-admin users.

Duo, not DUO.

Dave Packham · ‎09-08-2017

Thanks. we will go down the policy route

DuoKristina · ‎09-08-2017

I forgot to mention that the Exchange admins whom you do require to use Duo MFA will also need to use 2FA on OWA mailbox access as well as ECP.

Duo, not DUO.