Conditional Access Policy for MFA Azure and DUO

J Smith 1 Reputation point

I have created a Conditional Access Policy requiring MFA for Administrators following this KB from MS ( My tenant has a DUO subscription, and I have added the custom control for DUO to protect Azure AD.

In my Conditional Access Policy for Grant controls, I have selected both Require multi-factor authentication, and my Require DUO MFA controls; and have checked the box for "Require one of the selected controls"

When an M365 Admin account attempts to logon to M365, the account is being forced to authenticate with Microsoft AND DUO.

If I set the policy to only Require multi-factor authentication, I only get prompted by Microsoft.

If I set the policy to only Require DUO MFA, I only get prompted by DUO (so, I know this control works correctly for this account).

There is no other Access Control policy being applied/enforced against this account.

Does anyone know why?

It seems if I have multiple controls selected, and have enabled the option to only require one of the selected options ... if the account exists in DUO, I should only receive a DUO prompt.

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,620 questions
{count} votes