Opting to secure your Microsoft 365 environment with Cisco Duo is a wise choice that will bring added security advantages to your organization. Before beginning the process of integrating Cisco Duo with your Microsoft 365 environment, it is crucial to plan and prepare for the integration. This involves ensuring that all necessary prerequisites are met beforehand.
This article aims to provide readers with a comprehensive guide for seamlessly integrating Microsoft 365 with Cisco Duo. The main focus of this guide is to outline a meticulous Plan and Prepare phase, ensuring organizations embark on the integration journey with the utmost precision and efficiency.
The process of integrating Cisco Duo with Microsoft 365 almost always looks like this:
Let’s just cover some of the basics before we get into the prerequisites:
There are potentially four ways to integrate Duo with Microsoft 365:
- Integration using Duo Single Sign-On (SSO)
- Integration using Microsoft Conditional Access Policies
- SSO with the Duo Access Gateway
- Duo MFA with Microsoft Active Directory Federation Services (ADFS)
- SSO with Third-Party Identity Providers
This article will focus on the two most common integration methods; Integration with Microsoft 365 using Duo SSO and integration using Microsoft Conditional Access Policies.
Which method you choose ultimately depends on the answers to the following questions:
- What Microsoft licenses do you currently have?
- Do you want to federate your domain with Cisco Duo?
- Do you want to control which applications within your Microsoft estate use Cisco Duo or would like to secure all applications with Cisco Duo?
- Do you have a Zero Trust strategy or policy in place that mandates (now or in the near future) the use of Passwordless authentication?
- Do you currently have an on-premises Active Directory?
Maybe you’ve not thought about the aforementioned questions already and that’s ok because this is the start of the planning stage that will determine the prerequisites for how Cisco Duo is integrated with Microsoft 365.
As an organisation, you may have more questions than the ones presented above but generally, those questions are usually sufficient to determine which method you choose. Let’s take a look at how the presented questions help determine how you proceed to the next stage.
As soon as the relevant questions are answered in the planning stage, you are ready to move on to prepare stage. In the preparation phase, the prerequisites are gathered, understood and changes are arranged for your particular integration. Any change control processes and procedures should be followed where required and the prerequisites should be carried out successfully before proceeding onto the next stage. You can find the prerequisites to your integration method by reviewing the relevant Duo documentation: https://duo.com/docs/o365
To help put the preparation phase into perspective, let’s assume we want to integrate Microsoft 365 with Duo SSO.
Duo SSO integration with Microsoft 365 adds multi-factor authentication and several other features to authentication attempts to Microsoft 365 and Azure logins. That means any application that leverages Azure logins will transition to using Duo SSO once integrated as Duo will act as the Identity Provider (IdP). That is assuming the custom domain/s added within the Azure tenant is federated with Duo. Any domain that isn’t federated with Duo SSO will continue to authenticate users as they do today using the Microsoft sign-in page.
Let’s look at the prerequisites for this particular integration.
The table below highlights the prerequisites that need to be met for the integration of Microsoft 365 with Duo SSO:
|Prerequisites||Notes||Prerequisite Met (Yes/No)|
|Active Directory||AD is required to verify user login credentials|
|Duo Authentication Proxy installed on-premises||The authentication proxy is required to verify primary login credentials against Active Directory (authentication source) The following document covers the detailed requirements but for the sake of this document, I have highlighted the key requirements here: At least one standalone Windows or Linux server that can communicate with your Active Directory domain controller(s) Service account credentials for Active Directory Access to DNS for the user email domains you’ll use with SSO to add TXT records TCP 443 bidirectional flow permitted to and from Duo cloud to the auth Proxy TCP 389 (LDAP) or TCP 636 (LDAPS) permitted from the auth proxy to the Active Directory domain controller https://duo.com/docs/authproxy-reference|
|Custom Domain added within the Microsoft tenant||The custom domain is a public domain that your organisation owns and is the one that will be used for federation with Duo. This domain cannot be set as the default domain and cannot be the .onmicrosoft.com domain Additionally, ensure that there is a tenant administrator account associated with the .onmicrosoft.com domain to avoid any lockout issues. https://learn.microsoft.com/en-us/microsoft-365/admin/setup/add-domain?view=o365-worldwide|
|Install Microsoft AAD Connect to enable synchronisation between AD and AAD||Microsoft 365 requires that users are provisioned in Microsoft 365 and therefore users need to be synchronised to AAD using AAD Connect https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/how-to-connect-install-roadmap|
Once satisfied that the prerequisites are met, it’s time to carry out the integration. If you planning on testing the integration with a Duo trial then now would be the time to start that trial, you can start your trial here: https://duo.com/trial. Depending on your integration method and environment, you may choose to test the integration in a test environment first. For organisations without a test environment, Duo policies can be configured to ensure that only specified users are subject to Duo’s MFA; this is great for instances where organisations want to test Duo features without impacting the whole organisation.
Furthermore, if we stick with our example Duo SSO integration, we can leverage a fairly new feature within Microsoft called Staged Rollout. This feature allows organisations to test cloud-based authentication for groups of users without fully enabling it for the rest of the organisation. I have created two demonstration videos of the staged-rollout process here: https://networkwizkid.com/video-series-microsoft-365-staged-rollout-with-duo-single-sign-on-multi-factor-authentication/
Regardless of the integration method chosen, Duo will need to know about the users that will be required to complete MFA. Therefore, part of the integration process will require the integration of your IdP whether that is AD or another cloud-based identity provider.
|The Microsoft tenant transitions from managed to federated as part of the federation process. Microsoft states that it can take two hours or more for this process to complete however, this process is usually really quick. Similarly, the same applies when de-federating the tenant and transitioning back to a managed state. It’s worth calling this out as user logins may be impacted during the transition process.|
For a detailed breakdown of the integration process, please follow the relevant Duo documentation or contact your Duo account representative for more information.
Integration is complete, it’s now time to test and verify that everything works as expected. Understandably, each organisation is different and will likely have different success criteria but the following criteria should be factored into your test plans.
|The following list is not exhaustive and has been included to give you some ideas about what you can and should include in your tests.|
- Test a user’s ability to authenticate to Microsoft 365
- Verify that successful authentication attempts are displayed within the Duo admin panel
- Attempt to authenticate with a user that’s not yet enrolled in Duo but is synchronised in AAD
- Create/modify an application policy associated with the integration and test the enabled features
- If any other applications are integrated with Microsoft, user logins will be redirected to Duo. Test each application, ensuring users can still authenticate
- Test any application that doesn’t support modern authentication such as mail clients that use service accounts for SMTP
Once testing is complete and Duo has met your success criteria, it is time to fine-tune the Duo deployment, ensuring any relevant features are enabled and the right security policies are in place.
Download the Duo Lifeoff Guide to further enhance your deployment with some key best practices: https://help.duo.com/s/article/liftoff-deployment-guide?language=en_US
I hope that you find this guide useful. Let’s grab a coffee: https://www.buymeacoffee.com/networkwizkid. Please leave your comments if you’ve found this useful and let me know if you would like to see anything else added.