Setting up Duo for Office 365 questions


Currently trying to set up Duo for Office365 using the following:

However, I have a few questions before moving forward. We currently have a server that has Office 365 enabled SSO, so I’m not quite doing this from scratch. In the instructions, when configuring the Azure AD Connect User Sign-In, it states to select ‘Do not configure’ for the Sign On method. Currently, my configuration has ‘Password Hash Synchronization’ & ‘Enable single sign-on’ selected. Can I leave it like this or will I need to reconfigure the Azure AD Connect settings to follow the instructions? Any help will be appreciated.


Went along wi/ my current configuration & everything ended up working. When users log in to Office 365, they are now get the Duo prompt requesting a push now. However, my next question, for anyone that could help, is currently the Duo prompt gets applied to all the users in the AD. How would I configure it so that only users that are part of a certain container/dept only get prompted wi/ Duo? If I can get this, I’ll pretty much be set.


One way to accomplish this would be:

  1. Create groups for your Duo users. Either manually, or use directory sync to import groups and members from AD into Duo.
  2. Set the Group Access policy for your Duo Office 365 application or at the global policy level to “Allow access without 2FA”.
  3. Apply a group policy to the Office 365 application with the Group Access policy set to “No action” and the New User application policy set to “Require enrollment”. When applying the policy, attach it to the Duo groups from step 1 that you want to use Duo 2FA when accessing Office 365.

Net result: members of the groups attached to the group policy must use Duo, and anyone not in those groups bypass 2FA.


Apologies, but I have another question that i forgot to ask previously. In the ‘Search Base’ field in DAG, I’m confused in what I’m supposed to put right there. Do I put that’ll search all users (so something like OU=All Users,DC=my,DC=domain) or do I put the only the OU that includes the users that should be getting a Duo prompt (OU=Duo users,DC=my,DC=domain)?


It needs to be set to a level in your domain hierarchy that covers all users who will log in with SSO via the DAG.