Issues with Duo or Custom Controls?
We're a CPV using the Secure Application Model and have been getting quite a few reports of issues from partners that use Duo as a 3rd party MFA alternative + that Microsoft is granting technical expections for these partners.
Can someone help us all understand what's going on & who we should look to for updates?
If the issue's on the Microsoft side, we need some transparency to understand what's going on. If the issue's on the Duo side, we need to know so we can direct our questions to Duo.
Partners followed Duo's documentation (https://duo.com/docs/azure-ca) to implement Custom Controls (https://docs.microsoft.com/azure/active-directory/conditional-access/controls#custom-controls-preview) - which are currently in preview.
After partners login to their partner tenant & pass the MFA challenge thru Duo, they're met with a new MFA challenge thru Microsoft when attempting to access customer tenants thru Partner Center and Delegated Administration.
- Verified the customer tenants in question do not use any Conditional Access Policies
- Excluded users from the Conditional Access for Duo
- Configured users from Step 2 to use Microsoft Authenticator
- Deleted our CPV application for the partner tenant's list of Enterprise Applications
- Completed a fresh application consent flow with a user from Step 3
While this has resolved the duplicate MFA challenge when users access customer tenants thru Partner Center, the Service Principal Object used for our CPV application is still getting blocked from accessing the customer tenant.
Same issue here for us.
I was able to workaround by converting an account to use Microsoft MFA (exlcuded from the DUO conditional acces spolicies and instead made a custom one for that user.
Then reauthenticated our integrations & applications using that account.
Would like a perminant fix when using duo - I do have a microsoft case open. They granted us an exception because we proved we were using duo, but that didnt fix the double prompt.
We're still working around it by using Microsoft MFA - we have one custom policy that requires the user to use Microsoft MFA while the rest of the Org is using duo.
We have had to do some temporary exclusions in our conditional access policies to get some applications to re authenticate at times.
For example, Our connectwise unite integration stopped working for one client after enabling conditional access for the client. We then needed to exclude external users and the External Identity provider admins role from the policy, which allowed unite to reauthenitcate.
We were then able to remove those exclusions and unite is working fine now.