Entra ID External Authentication Methods with Duo

Entra ID External Authentication Methods with Duo

Microsoft recently introduced the public preview of External Authentication Methods in Microsoft Entra ID. I am very excited about External Authentication Methods as they finally allow third-party MFA providers like Cisco Duo to integrate better with Microsoft Entra ID (formerly Microsoft Azure AD).

Microsoft has supported third-party MFA providers for years. The original method for adding external MFA providers is Custom Controls, which was introduced in 2017 as a public preview.

As MFA grew in necessity, the limitations of Custom Controls became apparent. In 2020, Microsoft announced that Custom Controls would not leave public preview but a new solution that addressed its limitations would be created. In May of 2024, the replacement solution External Authentication Methods (EAM) was released as a public preview.

EAM addresses the limitations with Custom Controls, such as satisfying the Multifactor authentication requirement in a conditional access policy rather than using a custom control. EAM is a big deal, as the Entra sign-in logs show Custom Controls as a single-factor authentication when that is not true. I suspect this is because Microsoft has no way of validating whether MFA was completed or not.

Here’s an example of the Entra ID Sign-in logs with Duo using a Custom Control that reports as a Single-factor authentication.

Entra sign-in logs for Duo with custom control grant

If we drill into more details under the Basic info tab, we will still see that the login is reporting as single-factor authentication.

Sign-in log basic info for Duo when using a custom control grant

If we look at the Authentication Details tab, we will see nothing. I suspect this is because Entra has no way of knowing what happened on the Duo side of things, only that Duo said yup this user is good move along.

Sign-in log Authentication Details when Duo uses a custom control grant

If we look at the Conditional Access tab, we finally see that Duo was applied with the custom control and that the result was a success.

Sign-in log conditional access using Duo custom control

The issue of Custom Controls reporting as single-factor authentication in the sign-in logs is resolved with EAM.

Using EAM, we can now directly use third-party MFA solutions like Cisco Duo as an MFA option in Microsoft Entra Authentication methods, allowing us to use the MFA setting in a conditional access policy instead of a custom control. This even allows you to be more granular with the accepted forms of MFA, such as allowing Windows Hello rather than just Duo to grant MFA.

External Authentication Methods is currently in preview. However, everything seems to be working correctly in my testing.

In this post, I will show you step-by-step how to set up Cisco Duo with External Authentication Methods in Microsoft Entra ID.

The Process

Initial Setup

You will see the permissions requested screen for the Cisco Duo External Authentication Method application.

Once you’ve selected a name, you can not change it. The name you enter will also be shown to users. I will be using the name Duo MFA.

I will be using a group named Duo-MFA-Test.

You will now see the external authentication method you just created.

Configure Conditional Access Policy

Now that the initial setup is completed, we need to configure a Conditional Access policy to use the Duo external authentication method.

In my example, I will use the group named Duo-MFA-Test.

In my example, I will target all cloud apps. If you aren’t taking a phased approach to the Conditional Access policy, you may want to select the Office 365 app to help prevent locking yourself out if something doesn’t work correctly.

We don’t need to select the RequireDuoMfa grant as that is the original Duo grant that uses a custom control, and we are replacing it with EAM.

Testing

Now that the conditional access policy has been created, we can test it.

After a successful password, we see a new screen asking us to approve our login with Duo.

The approve with name the user sees is the name you entered when you added the External Authentication Method.

End user messaging to approve with EAM

The user will briefly see a screen informing them they are being redirected to Duo to verify their identity.

That’s all it takes to configure Microsoft Entra ID to use External Authentication Methods with Cisco Duo.

Logs

If we look at the Entra sign-in logs, we will see that Duo now shows up as a Multifactor authentication.

Here’s an example of the Entra ID Sign-in logs with Duo EAM.

Entra sign-in logs for Duo with EAM

The Basic info tab shows that Multifactor authentication was successful, and an external provider was used.

Sign-in log basic info for Duo when using EAM

If we look at the Authentication Details tab, we will see that the authentication method is an external authentication method and that the method is Duo and Duo completed the MFA.

Sign-in log Authentication Details when Duo uses EAM

On the Conditional Access tab we can see that the conditional access policy we created, New Duo MFA, used the Grant Control Require multifactor authentication and was successful.

Sign-in log conditional access using Duo with EAM

Extras

If the user has multiple authentication methods, they can select their preferred MFA method. The options a user sees can be controlled with the require authentication strength setting however, at this time, external methods can’t be defined in authentication strengths.

User with more than one MFA method.

If a user doesn’t have Duo set up for their account, when they select Approve with Duo, they will be guided through the setup of Duo.

If a user is disabled in Duo, they will get an error from Duo after selecting the Duo EAM.

Error when user is disabled in Duo

If a user is set to Bypass in Duo, they will get an error message from Duo after selecting the Duo External Authentication Method.

EAM Duo error when a user is in bypass in Duo

External authentication methods doesn’t fully support everything yet, like self-service password resets, but it’s for sure a step in the right direction.

If you want to read more about configuring Duo with Entra ID External Authentication Methods, here is the Duo documentation.

If you want to read more about the External Authentication Methods in Microsoft Entra ID, here is the Microsoft documentation.

Exit mobile version