Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2075
Views
0
Helpful
5
Replies

Azure AD conditional Access with Office apps

gmr1
Level 1
Level 1

‎04-09-2019 06:48 AM

I’ve set up a trial of Duo with the intention of enabling MFA for Office 365.
We primarily use Outlook, but some users also access via OWA.

I am not linking Duo to an on-prem AD.
I have enabled Duo with conditional access in Azure AD, currently for 1 test user. using the supplied JSON script, ticking the following cloud apps: Email, Office 365, Exchange online, Sharepoint online
and the following conditions: client apps -> all ticked (except apply policy only to supported platforms - which I left unticked)

When attempting to access via the Office 365 portal it prompts for MFA correctly.
However, I can install Office on a test PC using the account and it lets me in to Outlook without any MFA prompt!

Have I missed something here ?

Thanks…

Labels:
0 Helpful
5 Replies 5

KevinMcDermott0758
Level 1
Level 1

‎04-09-2019 08:46 AM

Have you tried using the “What if?” tool in Conditional Access to make sure you’re hitting the right policy?

0 Helpful

gmr1
Level 1
Level 1

‎04-09-2019 09:07 AM

yes, no matter what combination I try it always reaches the require duo mfa policy.
but Oulook (v 1903 / feb 2019), android mail app, iphone mail app, google mail app - all still allow authentication with just the basic credentials

0 Helpful

pgp
Level 1
Level 1

‎04-09-2019 04:49 PM

Do you have Modern Authentication enabled for your Office 365 tenant?

0 Helpful

gmr1
Level 1
Level 1

‎04-10-2019 12:05 AM

That’s a good question. Just realised we don’t. I will look at enabling.
However, enabling modern-auth in the tennant does not prevent clients continuing to use basic auth.

My point is that a potential attacker could gain access posing as an outlook client bypassing MFA.

the conditional access should prevent such logins given that I have it set in the conditional access to force MFA (duo) on all client apps and cloud apps. yet it is only impacting cloud apps.

0 Helpful

gmr1
Level 1
Level 1

‎04-10-2019 12:38 AM

pgp - your answer led me to the solution.
For anyone experiencing the same issue:

  1. enable modern auth in the tennant
    https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online

  2. set up conditional access policies to force MFA on specific users

  3. disable basic auth (also done via conditional policy - set to block)
    https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-AD-Conditional-Access-support-for-blocking-legacy-auth-is/ba-p/245417

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents