Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7541
Views
0
Helpful
4
Replies

Setting up Duo for Office 365 questions

xelacitnad
Level 1
Level 1

‎06-26-2018 08:19 AM

Currently trying to set up Duo for Office365 using the following:

However, I have a few questions before moving forward. We currently have a server that has Office 365 enabled SSO, so I’m not quite doing this from scratch. In the instructions, when configuring the Azure AD Connect User Sign-In, it states to select ‘Do not configure’ for the Sign On method. Currently, my configuration has ‘Password Hash Synchronization’ & ‘Enable single sign-on’ selected. Can I leave it like this or will I need to reconfigure the Azure AD Connect settings to follow the instructions? Any help will be appreciated.

Labels:
0 Helpful
4 Replies 4

xelacitnad
Level 1
Level 1

‎06-27-2018 08:15 AM

Went along wi/ my current configuration & everything ended up working. When users log in to Office 365, they are now get the Duo prompt requesting a push now. However, my next question, for anyone that could help, is currently the Duo prompt gets applied to all the users in the AD. How would I configure it so that only users that are part of a certain container/dept only get prompted wi/ Duo? If I can get this, I’ll pretty much be set.

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to xelacitnad

‎06-28-2018 09:03 AM

One way to accomplish this would be:

  1. Create groups for your Duo users. Either manually, or use directory sync to import groups and members from AD into Duo.
  2. Set the Group Access policy for your Duo Office 365 application or at the global policy level to “Allow access without 2FA”.
  3. Apply a group policy to the Office 365 application with the Group Access policy set to “No action” and the New User application policy set to “Require enrollment”. When applying the policy, attach it to the Duo groups from step 1 that you want to use Duo 2FA when accessing Office 365.

Net result: members of the groups attached to the group policy must use Duo, and anyone not in those groups bypass 2FA.

Duo, not DUO.
0 Helpful

xelacitnad
Level 1
Level 1
In response to DuoKristina

‎06-28-2018 10:19 AM

Apologies, but I have another question that i forgot to ask previously. In the ‘Search Base’ field in DAG, I’m confused in what I’m supposed to put right there. Do I put that’ll search all users (so something like OU=All Users,DC=my,DC=domain) or do I put the only the OU that includes the users that should be getting a Duo prompt (OU=Duo users,DC=my,DC=domain)?

1X_c46b1ef94e1778be10d2570c370da4460bd9e9f0.png

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to xelacitnad

‎07-06-2018 06:51 AM

It needs to be set to a level in your domain hierarchy that covers all users who will log in with SSO via the DAG.

Duo, not DUO.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents