Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Level 5 Contributor

Issues with Duo or Custom Controls?

We're a CPV using the Secure Application Model and have been getting quite a few reports of issues from partners that use Duo as a 3rd party MFA alternative + that Microsoft is granting technical expections for these partners.

 

Request

Can someone help us all understand what's going on & who we should look to for updates?

 

If the issue's on the Microsoft side, we need some transparency to understand what's going on. If the issue's on the Duo side, we need to know so we can direct our questions to Duo.

 

Background

Partners followed Duo's documentation (https://duo.com/docs/azure-ca) to implement Custom Controls (https://docs.microsoft.com/azure/active-directory/conditional-access/controls#custom-controls-preview) - which are currently in preview.

 

Issue

After partners login to their partner tenant & pass the MFA challenge thru Duo, they're met with a new MFA challenge thru Microsoft when attempting to access customer tenants thru Partner Center and Delegated Administration.

 

Troubleshooting Steps

  1. Verified the customer tenants in question do not use any Conditional Access Policies
  2. Excluded users from the Conditional Access for Duo
  3. Configured users from Step 2 to use Microsoft Authenticator
  4. Deleted our CPV application for the partner tenant's list of Enterprise Applications
  5. Completed a fresh application consent flow with a user from Step 3

While this has resolved the duplicate MFA challenge when users access customer tenants thru Partner Center, the Service Principal Object used for our CPV application is still getting blocked from accessing the customer tenant.

1 REPLY 1
Highlighted
Visitor 1

Re: Issues with Duo or Custom Controls?

Same issue here for us.

 

I was able to workaround by converting an account to use Microsoft MFA (exlcuded from the DUO conditional acces spolicies and instead made a custom one for that user.

 

Then reauthenticated our integrations & applications using that account.

 

Would like a perminant fix when using duo - I do have a microsoft case open.  They granted us an exception because we proved we were using duo, but that didnt fix the double prompt.