Share via

My users are not being automatically assigned to my Duo EAM authentication method. This used to work.

Andrew Hancock 10 Reputation points
2026-01-27T22:34:25.6833333+00:00

My organization uses Duo for MFA and we have had this configured in Azure since 2024 using the Duo MFA for Microsoft EAM instructions here: https://duo.com/docs/microsoft-eam

We have a hybrid-AD environment and create all users initially in our on prem AD which then syncs to Azure and Duo. Today I discovered that the Duo MFA EAM is not being automatically being added as an authentication method to new users and, as we only want to pester user to setup one MFA method, those users have no MFA because the conditional access policies fail open and not closed. The Cisco Duo EAM is targeted to all users and until recently it was automatically added to all users as an authentication method. I need to get this functionality restored so that we don't have users that can login without MFA. I'm sure more troubleshooting data will be needed so let me know what that is. Thanks in advance.

Microsoft Security | Microsoft Identity Manager
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andrew Hancock 10 Reputation points
    2026-01-27T22:59:26.8933333+00:00

    I don't see where its an assignment or provisioning problem, the Duo EAM enterprise app is enabled and assignment is NOT required. Like I mentioned, this used to work flawlessly and I have had no reason to touch anything related to the Duo/Azure/MFA configs. Something, in my opinion, has changed on Microsoft's side of things.

    Edit - Spelling

    2 people found this answer helpful.
  2. Q&A Assist
    2026-01-27T22:34:40.8366667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To troubleshoot the issue of users not being automatically assigned to the Duo EAM authentication method in your Azure environment, consider the following steps:

    1. Check User Assignments: Ensure that the users are correctly assigned to the Duo EAM application in Azure. Users and groups must be assigned to the application for provisioning to occur. You can verify this by checking the assignment settings in the Azure portal.
    2. Attribute Mappings: Confirm that the attribute mappings are correctly configured to sync valid attributes from Microsoft Entra ID to the Duo application. If the mappings are not set up correctly, users may not be provisioned as expected.
    3. Provisioning Logs: Review the provisioning logs in the Microsoft Entra admin center. These logs will provide insights into what operations have been performed by the provisioning service and whether there were any errors during the provisioning process. Look for log entries related to the users who are not being provisioned.
    4. Scoping Filters: Check if there are any scoping filters in place that might be preventing certain users from being provisioned. Scoping filters can restrict which users are eligible for provisioning based on specific attribute values.
    5. Duo Configuration: Ensure that the Duo application is properly configured in Azure and that it has the necessary permissions. If the application does not have consent approved, sign-ins using the Duo method will fail.

    If you have checked all the above and the issue persists, you may need to gather more specific logs or error messages to further diagnose the problem.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.