I'm curious about the login process when transitioning workstations from Active Directory (AD) to Entra with Duo federated Microsoft 365 Tenant. If I start this move, will logging in fail because it can't authenticate via Duo? Is there a workaround that allows users to log in without being prompted for Duo authentication? Also, would setting up Duo Conditional Access policies and defederating be the best approach to handle this situation? Thanks for your insights!
3 Answers
This is quite the situation! With Duo, an interactive web login is required for Duo SSO. If you federate your 365 domain to Duo, users will generally struggle to log into Entra-joined devices. The good news is if you enable WS-Trust, Duo will remove the 2FA requirement, allowing SSO on those devices through the standard login flow. Just a heads up though, for this to work currently, users have to log in with their full email as their username due to a bug—this will be fixed in the next major update! Also, consider making a group policy to bypass certain requirements during device enrollment if you're using device trust.
While I'm not an expert on Duo specifically, I can share my experience with similar setups like Secret Double Octopus. For Entra ID to work properly, the tenant needs to be federated via WS-FED instead of SAML. This ensures a smoother redirection for logins, especially during the initial configuration. I suggest giving it a try with Duo—you might find that it operates similarly! If you're interested, I can share a blog post detailing this process with SDO.
From my experience, if the Duo client is not installed on the workstation, users won’t get prompted for Duo at login, even with Duo federation for Microsoft 365. But if the client is present, it will prompt based on your configuration for passwordless access or push notifications.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures