Conditional Access policy to require one of two MFA options?

wick111 1 Reputation point

We have Duo mfa configured and in use in our org. Duo works just fine as an mfa provider for Azure AD auth. We've been told my MS that a CA rule can be set to require Duo or MS mfa during auth. Has anyone actually tested this out and can describe the expected user workflow with this type of rule?

THX> Eric

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,079 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. soumi-MSFT 11,756 Reputation points Microsoft Employee

    @wick111 , Yes, it works. When you configure more than one MFA provider in Azure, all those MFA providers do get listed in the section Access Controls --> Grant, while creating a Conditional Access Policy.

    You can refer to the screenshot below for more info:


    I also stumbled upon the following article from DUO, which speaks about configuring the Conditional Access Policy in Azure For DUO. You can refer this article too.

    Disclaimer: This response contains a reference to a third-party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as "Answer" if the above response helped in answering your query.

    0 comments No comments

  2. Wuichner, Eric 1 Reputation point


    Thanks for your reply. I was able to accomplish what you outlined but what i want to do is put option of using MS or DUO MFA in same policy. Someone at MS once told me you could do this successfully but i am unable to actually make it work in an OR manner for an end user. This is the config I'm seeking any additional insights on.

    THX> Eric

    0 comments No comments

  3. Muhammad Irfan Sadiq 0 Reputation points

    If the CAP can evaluate two MFA providers, then it maybe possible just by selecting the both Duo and native Microsoft Authenticator.

    0 comments No comments