This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 6%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETW%3C/text%3E%3C/svg%3E)
I am integrating Azure AD and ISE 3.2 patch 5 version. Using azure credentials authentication and authorization was successful from ISE user was identified by their group. (Here when user is connected to SSID using azure login credential user will be authenticated)
Then I was going to integrate azure AD and Duo. The integration between azure and duo also successful. Also, I applied the conditional access policy if user sign in to previously registered app required duo MFA. But in azure sign in log, it shows as the conditional policy not applied and sign in state as success.
But conditional policy is correctly configured I test with try to login to app using URL then it required Duo MFA. Here user will still authenticate using azure credentials without Duo MFA.
Between azure and ISE authentication protocol is ROPC and since ROPC is does not support MFA (Microsoft Authenticator) do we try with MFA with Duo integration will it work? Screenshot (177).png
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 96%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFA%3C/text%3E%3C/svg%3E)
Thanks for reaching out to Microsoft Q&A
I'd suggest you to check whether your application is registered as a Web Application or as a Public / Native Application. CA policies are not applied to public apps as per the document below:
This is where you can confirm how your app is registered:
Thanks,
Fabio
Hi @ Fabio Andrade
Thank you for your response.
I am already enabling web redirect URL application is shown in cloud app picker while adding conditional policies. Using URL when I am connecting to app conditional policy applied and Duo MFA required. But when I am connecting to SSID still Duo MFA not required. For that way still conditional policy not applied. Since this is ROPC for while connecting to SSID is there any possibility to add MFA as this way?
Waiting for reply
Thanks,
Thanuji
Thanks for sharing this information.You can see the MFA prompt on the browser because the browser simply redirects your user to the MFA endpoint to proceed with the sign in. If the "SSID" you are mentioning is a client, that client must support some type of web view to prompt you user for MFA.
In a Cisco forum, there is some information related to CA but to exclude the ISE application from the MFA policy as it could cause some issues, so I'd suggest you to check with Cisco if you can use Conditional Access with their client properly.
Thanks,
Fabio
I just wanted to check in and see if you had any other questions or if you were able to resolve your issue.
If you have any other questions, please let me know.
Thanks,
Fabio
I just wanted to check in and see if you had any other questions or if you were able to resolve your issue.
If you have any other questions, please let me know.
Thanks,
Fabio