Is there any way to enforce DUO for Exchange admins using ECP but not enforce them for OWA use? or how to only DUO auth the admins AD group when they try to login?
Enforcing two-factor only for Exchange admin access to the ECP IIS site is not a supported use case for the Duo OWA application.
What is possible is to install Duo for OWA and apply a new user policy that lets unenrolled users log in without 2FA, and only enroll the Exchange admins in Duo.
Or, if you need to have all your users enrolled in Duo to protect access to other services, you could apply a group access policy that allows access without 2FA on the OWA application to a group of non-admin users.
Thanks. we will go down the policy route
I forgot to mention that the Exchange admins whom you do require to use Duo MFA will also need to use 2FA on OWA mailbox access as well as ECP.