Cisco Duo has become almost the industry standard for Managed Service Providers (MSPs) to resell an MFA authentication service to their customers that provides a consistent experience across multiple apps and services, such as Entra ID, Windows clients & servers, VPNs and more. It is only recently that Microsoft’s new EAM (external authentication method) technology will allow Cisco Duo’s MFA platform to satisfy MFA requirements across Microsoft Entra ID, enabling organisations to drastically improve security and their end-user experience.
In this article, I show you how to set up Cisco Duo as an external authentication method in Microsoft Entra ID and walk you through the approach you should take when migrating from the existing custom controls integration to EAM.
Page Contents
Setup the Cisco Duo with Microsoft Entra ID: External Authentication Methods
From the Duo admin portal, you will need to set up the Microsoft Entra ID: External Authentication Methods application and obtain the following three pieces of information which will be used to configure the external authentication method in Microsoft Entra:
- AppId
- ClientId
- DiscoveryURL
This can be obtained by following the below steps:
2. Expand Applications, then select Protect an application.
3. In the search bar, search for Microsoft Entra ID: External Authentication Methods and select Protect, then Authorize.
4. You will be prompted to grant consent to Duo’s Multi-tenant application. When prompted, log in with your tenant’s Global Administrator account, check the box and click Accept.
5. You will then be returned to the applications settings page. If not, from your Application list, select Microsoft Entra ID: External Authentication Methods.
6. At the top of the page, under the Details heading, copy the Name, Client ID, Discovery Endpoint and App ID as highlighted below.
7. Apply the policy to specific groups or all users, then modify any further settings as required by your organisation. Once this is done, you can move over to the next step below.
Create a new External Authentication Method in Microsoft Entra ID
When you authorise the application from Cisco Duo, you will see the application (or Service Principal) listed in your Entra tenant, under Identity > Applications > Enterprise Applications. If it appears like the below, you are ready to proceed.
Note:
Interestingly, the multi-tenant application used in the new instance of the app is owned by a different Microsoft tenant compared to the previous app used for integration.
Where the Duo Azure Authentication (old) app is registered in a tenant with a default domain of duosecurityinc.onmicrosoft.com (3c453cf7-43fe-4e45-a9b9-f168f480f0f8), instead, the Cisco Duo External Authentication Method (new) app is registered in cisco.onmicrosoft.com (5ae1af62-9505-4097-a69a-c1553ef7840e), which also contains domains such as cisco.com, meraki.com and webex.com.
Overall, even though the the app is registered in Cisco’s production tenant, this ensures customers can benefit from the robust security they implement, instead of a dedicated tenant which may not get the same level of control, governance and monitoring.
Follow the steps below to register a new External Authentication Method in Microsoft Entra ID for Duo:
2. Expand Protection and select Authentication Methods > Add external method.
3. Using the information collected from the Duo admin center, enter the Name, Client ID, Discovery Endpoint and App ID into this page. As admin consent was already granted directly from the Duo portal, the Request admin consent section should show Admin consent granted.
Ensure you set the method to Enabled and you target either all users or a specific group of users.
4. When you are ready, click Save.
Migrate from Cisco Duo custom controls to external authentication methods
The great thing about Cisco Duo is that all the user registration is done independently from Microsoft, in the Duo authentication platform. This means that as long as the user has set up their Duo account with their mobile (which if you are already using Custom controls, they should have done), then they do not need to re-register their device when you migrate to external authentication methods.
1. Firstly, check for whom you are targeting with your Conditional Access policy that enforces the legacy custom control method. You can identify which policy is enforcing this setting by finding the policy with a grant control named RequireDuoMfa.
2. From the Conditional Access policies list page, duplicate the existing policy and rename it to Require Duo (EAM).
3. Now, target your test users with this policy be selecting them under the Users section.
4. Then under Access controls, click Grant, then uncheck RequireDuoMfa and select Required multifactor authentication. Your policy should look like the below:
5. You can then save your new policy.
6. Lastly, head back to your previous policy which enforces the custom controls method and exclude your test user from it.
Note:
If both policies target your users, they will be prompted to authenticate to Duo twice during login, which is not the desired result.
After any successful testing of Cisco Duo EAM, return back to the new conditional access policy and target all users, then set the old policy to report-only or Off (it should then later be deleted).
The user sign in experience using Cisco Duo EAM
When the user next accesses their Microsoft 365 services, they will be required to meet the MFA requirements (as previously, custom controls did not meet this requirement). After entering their login password (if it is not saved), they will be asked to verify their identity by selecting one of the available EAM methods. In this case, the only EAM method assigned to our users is Cisco Duo:
As short redirection notice will appear for the user, like so:
Then, the Duo page on their workstation will show a 3-digit code (as shown on the right-hand side of the image below), which they will be prompted to enter on their mobile (as shown on the left-hand side of the image below).
Once this is complete, the user will be immediately redirected back to their application.
Analysing the sign-in logs
It is often useful to look into the Entra ID sign-in logs to help troubleshoot issues or identify failed and successful sign-in attempts. You can also use these logs to confirm that since moving to EAM, users are now satisfying MFA in Conditional Access.
To find these logs, follow the steps below:
- Log in to entra.microsoft.com.
- Expand Monitoring & health, then select Sign-in logs.
- You can then sort through the logs to identify any which are successful or failed.
Alternatively, you can use Microsoft Graph PowerShell to help filter through the logs. Below is an example snippet where I filter the sign-in logs based on the below criteria:
- The new Cisco Duo conditional access policy is applied
- Logged in the last 24 hours
This way you can identify how many successful and failed sign-in attempts for the new Cisco Duo external authentication method there have been in the last 24 hours, based on the new Conditional Access policy.
Get-MgBetaAuditLogSignIn -Filter “appliedConditionalAccessPolicies/any(x:x/id eq ‘931f7222-41d2-4395-88dd-b1af08aee550’) and createdDateTime gt 2024-05-13 and createdDateTime lt 2024-05-14”
Using the below example, you will connect to Microsoft Graph and consent to the correct permissions, store the result of the sign-in log query to the $logs variable and display the results in a table.
#Connect to Microsoft Graph PowerShell
Connect-MgGraph -scope auditlog.read.all
#Define the start date and enddate to filter the logs
$startdate = "2024-05-13"
$enddate = "2024-05-14"
#Define the ID of the conditional access policy targetting EAM
$capolicy = "931f7222-41d2-4395-88dd-b1af08aee550"
#Collect logs
$logs = Get-MgBetaAuditLogSignIn -Filter "appliedConditionalAccessPolicies/any(x:x/id eq '$capolicy') and createdDateTime gt $startdate and createdDateTime lt $enddate"
#Display logs in gridview
$logs | out-gridview
To make the result more readable, you can select which columns you with to view directly from the output console:
For updated information on known limitations when using Cisco Duo with Entra ID external authentication methods, view the official Duo docs here.
Thanks for sharing! I have been cracking my head on this for a month, and it works amazingly. The only thing for me is that I am still getting requests for the Microsoft Authenticator App and clicking on the blue link that says, “I can’t use my Microsoft Authenticator app right now” to get to the “Approve Cisco DUO”
Any idea how can i bypass the Microsoft Authenticator App
Not yet as the feature is in preview.
Once released, Authentication strengths can be used!
Hi Daniel,
thank you for the guide!
Is there maybe a mistake in the Conditional Access screenshot? I would think in order to use Duo instead of “Azure MFA” you would _disable_ “Require Multifactor Authentication” an _enable_ “RequireDuoMFA” or did I miss something here?
Regards
Andi
Hi Andi,
No the RequireDuoMFA is the custom control which should NOT be used, as this guide is to migrate from custom controls to EAM (which satisfies MFA, custom controls does NOT) hence using the Require Multifactor Authentication setting.
Hi Daniel
Thanks for the guide! On you screenshot of Approve with Duo, i am still getting asked for Microsoft Authenticator App before asking for Duo. How can remove it?
Hey Freddie, your best option is to remove the authenticator app as a registered MSP method.
Hopefully soon Microsoft with release EAM integration with Authentication Strengths 🙂