Configure External Authentication Methods in Entra ID with Duo Security

Cisco Duo has become almost the industry standard for Managed Service Providers (MSPs) to resell an MFA authentication service to their customers that provides a consistent experience across multiple apps and services, such as Entra ID, Windows clients & servers, VPNs and more. It is only recently that Microsoft’s new EAM (external authentication method) technology will allow Cisco Duo’s MFA platform to satisfy MFA requirements across Microsoft Entra ID, enabling organisations to drastically improve security and their end-user experience. 

In this article, I show you how to set up Cisco Duo as an external authentication method in Microsoft Entra ID and walk you through the approach you should take when migrating from the existing custom controls integration to EAM. 

Setup the Cisco Duo with Microsoft Entra ID: External Authentication Methods

From the Duo admin portal, you will need to set up the Microsoft Entra ID: External Authentication Methods application and obtain the following three pieces of information which will be used to configure the external authentication method in Microsoft Entra:

  • AppId
  • ClientId
  • DiscoveryURL

This can be obtained by following the below steps:

1. Log in to the Duo admin portal with your Duo administrator account.

2. Expand Applications, then select Protect an application.

3. In the search bar, search for Microsoft Entra ID: External Authentication Methods and select Protect, then Authorize.

4. You will be prompted to grant consent to Duo’s Multi-tenant application. When prompted, log in with your tenant’s Global Administrator account, check the box and click Accept.

Duo external auth method
Duo external auth method

5. You will then be returned to the applications settings page. If not, from your Application list, select Microsoft Entra ID: External Authentication Methods.

Select Microsoft Entra ID External Authentication Methods
Select Microsoft Entra ID External Authentication Methods

6. At the top of the page, under the Details heading, copy the Name, Client ID, Discovery Endpoint and App ID as highlighted below.

Duo external auth settings
Duo external auth settings

7. Apply the policy to specific groups or all users, then modify any further settings as required by your organisation. Once this is done, you can move over to the next step below.

Create a new External Authentication Method in Microsoft Entra ID

When you authorise the application from Cisco Duo, you will see the application (or Service Principal) listed in your Entra tenant, under Identity > Applications > Enterprise Applications. If it appears like the below, you are ready to proceed.

Cisco Duo External Authentication Method
Cisco Duo External Authentication Method

Note:

Interestingly, the multi-tenant application used in the new instance of the app is owned by a different Microsoft tenant compared to the previous app used for integration.

Where the Duo Azure Authentication (old) app is registered in a tenant with a default domain of duosecurityinc.onmicrosoft.com (3c453cf7-43fe-4e45-a9b9-f168f480f0f8), instead, the Cisco Duo External Authentication Method (new) app is registered in cisco.onmicrosoft.com (5ae1af62-9505-4097-a69a-c1553ef7840e), which also contains domains such as cisco.com, meraki.com and webex.com

Overall, even though the the app is registered in Cisco’s production tenant, this ensures customers can benefit from the robust security they implement, instead of a dedicated tenant which may not get the same level of control, governance and monitoring.

Follow the steps below to register a new External Authentication Method in Microsoft Entra ID for Duo:

1. Log in to entra.microsoft.com as at least a Privileged Role Administrator (you can also use a Global Administrator account)

2. Expand Protection and select Authentication Methods > Add external method.

Add external method Entra ID
Add external method Entra ID

3. Using the information collected from the Duo admin center, enter the Name, Client ID, Discovery Endpoint and App ID into this page. As admin consent was already granted directly from the Duo portal, the Request admin consent section should show Admin consent granted.

Ensure you set the method to Enabled and you target either all users or a specific group of users.

Add Cisco Duo as an external authentication method
Add Cisco Duo as an external authentication method

4. When you are ready, click Save.

Migrate from Cisco Duo custom controls to external authentication methods

The great thing about Cisco Duo is that all the user registration is done independently from Microsoft, in the Duo authentication platform. This means that as long as the user has set up their Duo account with their mobile (which if you are already using Custom controls, they should have done), then they do not need to re-register their device when you migrate to external authentication methods.

1. Firstly, check for whom you are targeting with your Conditional Access policy that enforces the legacy custom control method. You can identify which policy is enforcing this setting by finding the policy with a grant control named RequireDuoMfa.

2. From the Conditional Access policies list page, duplicate the existing policy and rename it to Require Duo (EAM).

3. Now, target your test users with this policy be selecting them under the Users section.

4. Then under Access controls, click Grant, then uncheck RequireDuoMfa and select Required multifactor authentication. Your policy should look like the below:

Cisco Duo EAM Conditional Access policy
Cisco Duo EAM Conditional Access policy

5. You can then save your new policy.

6. Lastly, head back to your previous policy which enforces the custom controls method and exclude your test user from it.

Note:

If both policies target your users, they will be prompted to authenticate to Duo twice during login, which is not the desired result.

After any successful testing of Cisco Duo EAM, return back to the new conditional access policy and target all users, then set the old policy to report-only or Off (it should then later be deleted).

The user sign in experience using Cisco Duo EAM

When the user next accesses their Microsoft 365 services, they will be required to meet the MFA requirements (as previously, custom controls did not meet this requirement). After entering their login password (if it is not saved), they will be asked to verify their identity by selecting one of the available EAM methods. In this case, the only EAM method assigned to our users is Cisco Duo:

Approve with Cisco Duo
Approve with Cisco Duo

As short redirection notice will appear for the user, like so:

Redirected to EAM
Redirected to EAM

Then, the Duo page on their workstation will show a 3-digit code (as shown on the right-hand side of the image below), which they will be prompted to enter on their mobile (as shown on the left-hand side of the image below).

Approve Duo EAM prompt
Approve Duo EAM prompt

Once this is complete, the user will be immediately redirected back to their application.

Analysing the sign-in logs

It is often useful to look into the Entra ID sign-in logs to help troubleshoot issues or identify failed and successful sign-in attempts. You can also use these logs to confirm that since moving to EAM, users are now satisfying MFA in Conditional Access. 

To find these logs, follow the steps below:

  1. Log in to entra.microsoft.com.
  2. Expand Monitoring & health, then select Sign-in logs.
  3. You can then sort through the logs to identify any which are successful or failed.
Cisco Duo EAM satisfies MFA
Cisco Duo EAM satisfies MFA

Alternatively, you can use Microsoft Graph PowerShell to help filter through the logs. Below is an example snippet where I filter the sign-in logs based on the below criteria:

  • The new Cisco Duo conditional access policy is applied
  • Logged in the last 24 hours

This way you can identify how many successful and failed sign-in attempts for the new Cisco Duo external authentication method there have been in the last 24 hours, based on the new Conditional Access policy.

Get-MgBetaAuditLogSignIn -Filter “appliedConditionalAccessPolicies/any(x:x/id eq ‘931f7222-41d2-4395-88dd-b1af08aee550’) and createdDateTime gt 2024-05-13 and createdDateTime lt 2024-05-14”

Using the below example, you will connect to Microsoft Graph and consent to the correct permissions, store the result of the sign-in log query to the $logs variable and display the results in a table.

#Connect to Microsoft Graph PowerShell
Connect-MgGraph -scope auditlog.read.all

#Define the start date and enddate to filter the logs
$startdate = "2024-05-13"
$enddate = "2024-05-14"

#Define the ID of the conditional access policy targetting EAM
$capolicy = "931f7222-41d2-4395-88dd-b1af08aee550"

#Collect logs
$logs = Get-MgBetaAuditLogSignIn -Filter "appliedConditionalAccessPolicies/any(x:x/id eq '$capolicy') and createdDateTime gt $startdate and createdDateTime lt $enddate"

#Display logs in gridview
$logs | out-gridview

To make the result more readable, you can select which columns you with to view directly from the output console:

Filter EAM log results
Filter EAM log results

For updated information on known limitations when using Cisco Duo with Entra ID external authentication methods, view the official Duo docs here.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

This Post Has 4 Comments

  1. Andi

    Hi Daniel,

    thank you for the guide!
    Is there maybe a mistake in the Conditional Access screenshot? I would think in order to use Duo instead of “Azure MFA” you would _disable_ “Require Multifactor Authentication” an _enable_ “RequireDuoMFA” or did I miss something here?

    Regards
    Andi

    1. Daniel Bradley

      Hi Andi,

      No the RequireDuoMFA is the custom control which should NOT be used, as this guide is to migrate from custom controls to EAM (which satisfies MFA, custom controls does NOT) hence using the Require Multifactor Authentication setting.

  2. Freddie

    Hi Daniel

    Thanks for the guide! On you screenshot of Approve with Duo, i am still getting asked for Microsoft Authenticator App before asking for Duo. How can remove it?

    1. Daniel Bradley

      Hey Freddie, your best option is to remove the authenticator app as a registered MSP method.

      Hopefully soon Microsoft with release EAM integration with Authentication Strengths 🙂

Leave a Reply