Pages

Wednesday, February 2, 2022

Securing Azure AD with Duo 2FA

Duo has been one of the most common MFA solutions I’ve worked with over the past 5 years and most clients who have this as their MFA solution for on-premise services such as ADFS, tend to ask whether they can also use it for Azure AD. The short answer is yes but there the requirement of having Conditional Access (available with Azure AD Premium P1) within Azure means an additional cost would be required to replace Azure MFA with the solution (https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-mfa-get-started). Another consideration is that certain risk detection features of Azure Identity Protection (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks) will not be available. With that said, the purpose of this post is to provide a quick walkthrough of the setup process for using Duo as the MFA for Azure AD portal.azure.com and Office 365 authentication. The official Duo documentation can be found here: https://duo.com/docs/azure-ca

Begin by logging into the Duo administration portal: https://admin.duosecurity.com/, navigate to Applications and click on Protect and Application to register Azure as an application:

image

Search for Azure, select Microsoft Azure Active Directory and click on the Protect button:

image

Click on the Authorize button to have Duo provide the Azure tenant sign-in prompt:

image

Sign into the Azure tenant with an account with global administrator permissions:

image

Authorize the permissions request:

image

Decide on whether to activate the Universal Prompt for Microsoft Azure AD:

image

Copy the custom control code snippet into notepad as we’ll require it to configure Azure AD:

image

Scroll down and review the settings of the Azure AD application:

image

Locate the Username normalization setting and change the radio button from None to Simple. The reason why this setting is important is because failure to configuring this will cause Duo to create multiple accounts for the same user depending on the username used. For example, it may create two accounts for the logins:

  1. tluk
  2. tluk@contoso.com
  3. contoso\tluk

image

image

Proceed to save the configuration and you should now see the application created:

image

Login into https://portal.azure.com, navigate to Azure Active Directory and click on Security:

image

Select Conditional Access:

image

Click on Custom controls (Preview) and then New custom control:

image

Delete the existing content in the customized controls box:

image

Paste the JSON snippet from Duo and click on Create:

image

Note the new custom control named RequireDuoMFA listed:

image

Navigate to Policies and click on New policy:

Note that if the New custom control button is greyed out then that means you do not have Azure AD Premium P1 licenses and therefore unable to use Conditional Access.

image

Select Create new policy:

image

Provide a name for the policy:

image

Click on Specified users include under Users or workload identities and configure the users or groups that you want the policy to be applied to:

image

Click on No cloud apps, actions, or authentication contexts selected under Cloud apps or actions, select Select apps and configure the applications you want this policy to apply to. For this example, we’ll include Office 365 and Microsoft Azure Management:

image

Note that Azure reminds you to not lock yourself out as Microsoft Azure Management affects portal.azure.com. Microsoft provides guidance on having and managing emergency accounts in the following document: https://docs.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access

image

Select 0 controls selected under Access controls, select Grant access, enable RequireDuoMfa, and enable Require all the selected controls:

Note that if you do not see RequireDuoMfa then that means you skipped the custom control creation.

image

With the settings configured, you can choose to have Enable policy set as Report-only, which will only report expected behavior in the logs:

image

Or configured as On, which would put the policy in effect:

image

For this example, we will have the policy configured as On:

image

Proceed to test login and you should now see the following behavior:

image

image

image

Hope this provides an idea of what the process of configuring and using Duo as MFA looks like.

No comments: