Set up DUO authentication with Azure conditional access does not work

5even · April 7, 2023, 2:55pm

Hey guys,

I just finished the setup with help of the documentation https://duo.com/docs/azure-ca

Everything seems fine but somehow I dont get the DUO prompt when I log in to Azure, which actually should. Every step was taken as described but I think I missing somethin. Any idea?

thank you

DuoKristina · April 7, 2023, 7:50pm

Double-check the conditional access policy assignments in Azure:

Make sure it’s set to the right users, groups, and apps.
Make sure none of the conditions are letting the policy get bypassed.
Make sure the grant is definitely requiring the Duo control, not the Duo control and something else and is satisfied by success on just one control.
Make sure the policy is “On” and not set to “Report-only” or “Off”.

Try the “What If” tool in the Azure portal to model an auth that you think should be subject to the CA policy with the Duo control and see what happens i.e. does your Duo CA policy show up in “Policies that will apply”?

If Duo works in the browser but isn’t shown in a rich-client app, take a look at this article for more advice: How often will rich and mobile clients such as Outlook, Skype for Business and iOS Mail prompt for authentication with Azure’s Authentication Session Management feature?.

5even · April 11, 2023, 5:06am

Hi Kristina,

thank you for your quick response. I actually did everything double-check. Do you know how to set the Userlogin on the Azure AD Connect Server? Is it Password-Passthrough or Federation with ADFS?

DuoKristina · April 11, 2023, 1:10pm

That choice is up to you. What do you want your deployment to look like? Do you want to federate your Azure tenant with AD FS for primary? If you don’t plan to deploy AD FS, don’t choose it.

5even · April 11, 2023, 4:36pm

That was a thought for the future and would be nice to federate my tenant with AD FS.