Table of Contents
Supported providers
Microsoft announced at RSA Conference 2024 integration with these identity providers as launch partners:
- Cisco
- Entrust
- HYPR
- Ping
- RSA
- Silverfort
- Symantec
- Thales
- TrustBuilder
DUO
Duo MFA, also known as Cisco Duo Multi-Factor Authentication, is a cloud-based security solution that adds an extra layer of verification to the login process. It goes beyond just a password (something you know) and requires a second factor (something you have or something you are) to confirm your identity.
Previously DUO had to be used with Custom Controls
But it had some limitations
| Functionality | Description |
|---|---|
| Microsoft Entra Multi-Factor Authentication (MFA) | Custom controls cannot be used to enforce MFA requirements during sign-in. |
| Microsoft Entra Self-Service Password Reset (SSPR) | Custom controls cannot be integrated with the SSPR workflow for resetting passwords. |
| MFA Claim Requirements | Custom controls cannot be used to validate specific MFA claims presented in tokens. |
| Sign-in Frequency Controls | Custom controls cannot be used to define or enforce limitations on how often users can sign in. |
| Privileged Identity Manager (PIM) Role Elevation | Custom controls cannot be used to control the elevation of user roles within PIM. |
| Intune Device Enrollment | Custom controls cannot be used as part of the device enrollment process for Microsoft Intune. |
| Cross-Tenant Trusts | Custom controls are not supported for scenarios involving authentication across different Microsoft Entra tenant environments. |
| Device Joining | Custom controls cannot be used to influence the process of joining devices to Microsoft Entra. |
You can find it here https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/CustomControls/fromNav/Identity
And more from Learn here
Leveraging EAMs and Conditional Access Together
While custom controls and External Authentication Providers (EAMs) serve distinct purposes, they can be implemented concurrently for enhanced security. Here’s how:
Recommended Approach:
Microsoft recommends configuring two separate Conditional Access policies:
- Custom Control Policy: This policy enforces the use of the custom control during sign-in.
- MFA Grant Policy: This policy requires Multi-Factor Authentication (MFA) using the EAM.
Deployment Strategy:
- Utilize test groups for each policy: Assign users to one policy or the other, but not both. This ensures users only encounter one additional verification step at a time.
- Avoid combining conditions: If a user belongs to a policy encompassing both custom control and MFA requirements, they’ll needlessly experience double verification – first through the custom control, triggering an EAM redirect, then through the EAM itself for MFA.
Benefits:
This approach offers a layered security strategy:
- Custom Control Policy: Enforces additional security checks tailored to your organization’s needs.
- MFA Grant Policy: Strengthens authentication with a second factor through the EAM.
- Test Groups: Mitigate disruption by testing each policy on a limited user base before broader rollout.
External Authentication Methods
Microsoft Entra ID’s External Authentication Methods (EAMs) allow users to leverage existing MFA providers for multi-factor sign-in, fulfilling requirements from Conditional Access, Identity Protection, Privileged Identity Management (PIM), and even individual applications.
Behind the Scenes
When you sign in, security policies for your organization (tenant policies) are checked. These policies determine the authentication strength needed based on the specific resource you’re trying to access. Imagine these policies like access checkpoints with varying security levels.
There can be multiple checkpoints (policies) for a single sign-in, depending on factors like your user group, the application you’re using, the device you’re on, and the perceived risk of the sign-in attempt.
MFA and EAMs
If a policy requires Multi-Factor Authentication (MFA), you’ll need to provide a second layer of verification beyond your password (the first factor). This second factor should be different from your password for increased security.
Some organizations leverage External Authentication Providers (EAMs) which are integrated with Microsoft Entra by administrators. If an EAM is configured for MFA, your sign-in is considered secure after Microsoft Entra validates both:
- Your initial login through Microsoft Entra (first factor)
- The additional verification completed through the EAM (second factor)
This two-step process ensures a strong authentication posture for accessing sensitive resources.
EAM Integration and Sign-in Flow
This table summarizes how External Authentication Providers (EAMs) integrate with Microsoft Entra for Multi-Factor Authentication (MFA).
| Step | Description |
|---|---|
| EAM Endpoints | EAMs utilize Open ID Connect (OIDC) and require three publicly facing endpoints: 1. Discovery Endpoint (Discovers provider metadata) 2. Authentication Endpoint (Validates user) 3. Public Certificate URL (Verifies EAM identity) |
| User Sign-in | User attempts to access a Microsoft Entra protected application with a first factor (e.g., password). |
| MFA Requirement | Microsoft Entra determines additional authentication (MFA) is needed based on Conditional Access policies. |
| EAM Selection | User chooses the EAM as the second factor. |
| Entra to EAM Redirect | Microsoft Entra redirects the browser session to the EAM URL discovered during EAM creation. |
| Token Exchange | Entra provides an expired/nearly expired token containing user and tenant information. |
| EAM Validation | EAM verifies the token source (Entra) and its contents. |
| Optional User Information Retrieval | EAM (optional) retrieves additional user details from Microsoft Graph. |
| EAM Authentication | EAM performs its own authentication (e.g., additional credential check). |
| Response to Entra | EAM redirects the user back to Entra with a valid token containing required claims. |
| Entra Token Validation | Entra validates the EAM’s token signature and contents. |
| Policy Check | Entra checks the token against MFA and other policy requirements. |
| MFA Success (or Failure) | If validation succeeds, the MFA requirement is met (other policies may apply). |
Setup for both
DUO
Creating a demo user, just use the same UserPrincipalName than in your Entra ID
Choose Application -> Protect an application
Consent, consent!
And it creates an Enterprise application to Entra
And just hit copy, Cisco and Microsoft really made this easy for you, excellent!
Entra ID
Open Add external method from here https://entra.microsoft.com/#view/Microsoft_AAD_AuthenticationMethods/ExternalAuthAddNewMethod.ReactView
Paste the copies values
Once you hit the Request permissions, there is a bug and you have to hit Save, close the menu and open it again, then you will see consent approved.
Consent, consent!
Then you just turn it on and see the magic happen!
Choose can’t use my authenticator, not the final state but in Preview like this (I hope)
Choose your favorite EAM
You will be redirected!
No, will skip for now.
And you can also choose Push or Bypass code (which is found in your DUO app)
This code …
Goes here in your own DUO mobile app
And success!
And the familiar Stay signed in (If not disabled!)
And you can check the logs from DUO admin portal
And you can see the user creation from DUO log and the logins
See here for the documentation from DUO
Closure
Beautiful solution and design from both parties, rarely you see this smooth interactions with two different providers. Excellent feature and execution, Microsoft and Cisco!
If you use those supported providers, you can try it out today. If you just want to geek yourself, you can get DUO trial from here https://signup.duo.com
RSS - Posts