As many of us in the security community are aware, a number of critical Microsoft Exchange vulnerabilities have recently been discovered, prompting Microsoft to release multiple rounds of patches to remediate.
In light of these recent security incidents, we wanted to take this opportunity to remind customers who use Duo for Outlook Web App that when you install an Exchange Cumulative Update (CU), you must reinstall Duo for OWA. We recommend you review your Duo for OWA logs to confirm that the integration is working normally. You should see the message
Authentication succeeded for each login event if 2FA is enabled.
If not, please take the following steps to ensure users are still prompted for two-factor authentication for OWA logins:
- Uninstall Duo for OWA (Outlook Web App) completely, and verify that it has been cleanly uninstalled.
- Install the Exchange CU. (Note: It is not necessary to re-install the Exchange CU again if you just need to uninstall/reinstall Duo for OWA.)
- Reinstall Duo for OWA from an elevated command prompt after the Exchange CU has been completed.
- Verify individual Exchange servers with the CAS role that have the Duo OWA module applied are successfully enforcing 2FA.
What happens if you do not follow this process? Because Exchange CU installers overwrite any customizations to the XML files (including those modifications made by installing the Duo integration), users will be able to log in to OWA without being required to perform Duo 2FA.
Read more in this help article on how Exchange Cumulative Updates impact Duo 2FA.