Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,620 questions
Conditional Access Policy for MFA Azure and DUO
J Smith
1
Reputation point
I have created a Conditional Access Policy requiring MFA for Administrators following this KB from MS (https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa). My tenant has a DUO subscription, and I have added the custom control for DUO to protect Azure AD.
In my Conditional Access Policy for Grant controls, I have selected both Require multi-factor authentication, and my Require DUO MFA controls; and have checked the box for "Require one of the selected controls"
When an M365 Admin account attempts to logon to M365, the account is being forced to authenticate with Microsoft AND DUO.
If I set the policy to only Require multi-factor authentication, I only get prompted by Microsoft.
If I set the policy to only Require DUO MFA, I only get prompted by DUO (so, I know this control works correctly for this account).
There is no other Access Control policy being applied/enforced against this account.
Does anyone know why?
It seems if I have multiple controls selected, and have enabled the option to only require one of the selected options ... if the account exists in DUO, I should only receive a DUO prompt.
{count} votes
-
JamesTran-MSFT 29,141 Reputation points Microsoft Employee2022-04-11T21:22:44.67+00:00 @J Smith
Thank you for the detailed post and I apologize for the delayed response!- When no other Conditional Access Policies are being applied/enforced against the user logging in, can you share some more info on what you mean by that, so I can gain a better understanding of your issue?
- Do you have multiple CA policies that should be applied?
- Can you share a screenshot of what you're seeing or how you set up your CA policy?
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue. -
J Smith 1 Reputation point
2022-04-11T22:16:09.317+00:00 Here are the CA policies I have configured. What I am saying is that the account in question only fits criteria in a way that only matches to 1 CA policy for MFA. So, I do not have multiple policies applied to the account.
My issue is, when I configure an MFA policy in this way, I expect that if the account satisfies DUO MFA, the account will not prompt for a Microsoft Authenticator MFA.
However, the user, under this policy, must approve BOTH a Microsoft Authenticator push AND a DUO Authentication push. I do not want that. If I have an account not enrolled in DUO, I want that account to be required to use MS Authenticator -- but, if the account is enrolled in DUO, I want the user forced to use DUO (only).
-
JamesTran-MSFT 29,141 Reputation points Microsoft Employee
2022-04-12T23:16:06.797+00:00 @J Smith
Thank you for following up on this!I reached out to my team and when it comes to your CA policy the - Require one of the selected controls option, should be an OR, but as you mentioned it's an AND.
- Since any active CA Policy can apply to the user, can you ensure that no other CA's are being applied?
- Can you turn off all the other policies for testing purposes or leverage the What If Tool?
If you're still having issues after you confirm that no other CA policies are being applied, please let me know.
Thank you for your time and patience throughout this issue. -
JamesTran-MSFT 29,141 Reputation points Microsoft Employee
2022-04-13T20:45:28.847+00:00 @J Smith
I just wanted to check in and see if you had a chance to review my previous post or if you were able to resolve this issue?
Sign in to comment