This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 1%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
We received an email that our tenant is required to have MFA enabled for sign in to Azure portal, Microsoft Entra admin center, and Intune admin center. We ran the powershell to identify users and authentication methods. The powershell returned users do not have MFA enabled, so we do not comply with the upcoming action requirements.
We have a conditional access policy that applies to all users and all cloud services. The policy integrates Duo MFA with our sign in to Microsoft services.
Why is our conditional access policy not sufficient? Must we enable Microsoft Authenticator in addition to Duo MFA so we comply - but this requires two MFA components which seems like overkill.
Thanks for your support!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
If you're using a federated Identity Provider (IdP), such as Active Directory Federation Services, and your MFA provider is integrated directly with this federated IdP, the federated IdP must be configured to send an MFA claim.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin
Hello @Steven Knoll,
Thank you for posting your query on Microsoft Q&A.
From your description, I understand that you’re referring to the recent announcement about MFA enforcement, particularly the mandatory multifactor authentication for Azure and other administration portals starting on October 15, 2024. You’re asking whether this enforcement will support third-party MFA providers like DUO.
If you’re using a third-party MFA provider (DUO) for second-factor authentication and have configured it through the Conditional Access Custom Controls preview, it will not satisfy the new MFA requirements. To continue using your external solution with Microsoft Entra ID, you should migrate to the External Authentication Methods (EAM) preview.
If your DUO MFA is already configured through the External Authentication Methods preview, it will support the upcoming MFA enforcement requirements.
You’ll need to verify how your DUO configuration is set up in your tenant—whether it’s configured through Custom Controls (Preview) or External Authentication Methods (Preview).
Please refer to the screenshot below for guidance on verifying the configuration.
If your DUO MFA is set up through Custom Controls (Preview), you can find it under Entra ID > Security > Conditional Access > Custom Controls (Preview).
If your DUO MFA is set up through External Authentication Methods (EAM) Preview, it will be visible under Entra ID > Security > Authentication Methods > Policies > External (Preview).
Please verify your setup. If it’s not configured under the External Authentication Methods blade, refer to the following document for instructions on setting up your MFA, and contact DUO support for the required details.
Additional Resources:
For more information, please refer to the following articles.
Planning for mandatory multifactor authentication for Azure and other administration portals
Manage an external authentication method in Microsoft Entra ID (Preview)
I hope this information is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Thanks,
Raja Pothuraju.
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Hello @Steven Knoll,
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
@Raja Pothuraju thanks for the detailed write-up. I am reviewing and will accept the solution if it solves the requirement.
On a related note, Duo released a public response to Microsoft's MFA requirement:
https://app.securitymsp.cisco.com/e/es?s=4673582&e=5530&elqTrackId=f57670e4f88240b889e171d9ac910a39&elq=ced3f4981e0c412eac119b6963a041a4&elqaid=164&elqat=1&elqak=8AF592110737E270874B97AEB04677C0A221422511A09A2CBC97399D002ACD60F015
@Steven Knoll, Sure. Please let me know if you get any additional questions while reviewing.