Duo Security is an industry leader in MultiFactor Authentication (MFA) and zero-trust security solutions. Many organizations choose to federate their on-premise identity – Active Directory – with Microsoft so that users have a Single Sign On (SSO) experience when accessing 365 – this is, in many cases, achieved using ADFS. Duo conveniently provides a plugin for ADFS so that MFA can be bolted on to the existing SSO solution.
In fact, I found it to be just about that easy. In my ADFS 4.0 environment Duo’s plugin installed seamlessly and was instantly available for MFA within ADFS. The great thing about this is that, when your users authenticate through a web browser (such as to OWA), if they’re not already enrolled they can be prompted to enroll at that time. This makes user onboarding simple and easy.
Duo’s combination of access policies can be combined with ADFS’ claim rules for a very customizable experience. In my case, I chose to simply require 2FA only for extranet connections:
Just to be sure, I also whitelisted my public IP address within Duo’s application policy. The solution works beautifully – if we connect from outside of our network to OWA (via a web browser), the user will see Duo integrated with the ADFS login page as a next step after a successful login:
Now, let’s talk about the caveats of this solution. They are few, but they do need to be planned for
Non-browser connections (such as those from Outlook installed on user desktops) will now require Modern Authentication. This won’t be a big deal for most organizations, but it does restrict what Outlook clients can be used as well as what mobile mail clients can be used as well. Outlook 2013 or newer is required, though Outlook 2013 will require a registry change to be compatible. For mobile clients, check out Duo’s KB article for more detail.
Microsoft’s documentation lists 3 options for how to relay mail through Exchange Online, the first of which is SMTP Client Submission – relaying through Exchange Online using an authenticated connection on port 587. This is commonly accomplished using the Windows built-in SMTP relay in IIS, and if this is how you’re relaying then this method will stop working. A good workaround is to add a connector for the IP address that your mail relay sends from, and then reconfiguring it to send to yourdomain-com.mail.protection.outlook.com on port 25. For more information, see option #3 of the same Microsoft article.
Alternatively, if you have another domain setup in your 365 account that is not managed (configured for ADFS), you can use an account in this domain to continue to relay since the login for this account will not be subject to Duo’s MFA.
PowerApps / Flow / Other 365 services
Connectors setup in PowerApps and Flow will need to re-authenticate, with MFA, based on the policies setup within Duo. This will be a pain because it will require human interaction to do so. As mentioned in the previous paragraph, if you have a non-managed domain setup in your tenant then it may be easiest to create these connections with an account from one of these domains.