1

Hi Folks,

We have been implementing 2 Factor Authentication across our Network. We are using Duo Security. We have hooked it into our Intranet and are in the process of hooking in into our VPN.

I want to get 2 Factor Authentication on our Office 365 Mail but I am not sure if I should use the built-in 2FA from Office 365 or sync our Active Directory to the cloud and use DUO.

Thoughts Appreciated?

8 Spice ups
2

I’d recommend sticking with one MFA solution if at all possible. Introducing a second app/token/process that users need to follow will only confuse things. The downside with O365/Azure MFA is that you have to have at least P1 level licensing for each account you want to place MFA in front of, even if you’re not using their MFA.

3 Spice ups
3

Thanks for the reply Alan. We have the licensing so that is not an issue. I am rooting for O365 MFA as all I need to do is check a box to activate it. Using DUO has me setting up a Server and syncing our Active Directory to the cloud but the powers that be want everything to be DUO.

4

I’m in the same boat, but we’re going to use Duo for all 2FA services, hopefully this will cause less confusion. We already use aDFS here with 365 so the transition shouldn’t be too big for us, but we are expecting a little pushback.

Sounds like your setup may be a bit more taxing initially, but in my experience Duo is a far better solution, their support is amazing and you can 2FA damn near any service.

Microsoft’s solutions aren’t there yet, but i think in the future their offerings may mature, but the ease of installation and their support really sold us on it.

For instance, implementing Duo for our Cisco AnyConnect was straightforward, I tried the same for MS and it was a 40-page document.

But…if you’ve already got the licensing, then you’d be paying more adding Duo, but it sounds like you’re already paying for both.

1 Spice up
5

Looks like we will go with Duo. My concern is what happens when I setup the sync as we currently have separate accounts for in-house Active Directory and Office 365 with no on-premise E-Mail. If the sync sets it up so we only need the one account, what account takes precedence.

6

Hopefully Duo is a more streamlined MFA then the built in MFA for Office 365 I found the built in to be easy to setup on the admin side but clunky on the user side.

7

I agree onerustycar. I have the Microsoft MFA setup at other sites and the app password always seems to trip up the users.

8

Set up multi-factor authentication for Office 365 users:

9

Do you use modern auth? If you enable modern auth your users won’t need app passwords if they’re using Office 2016

10

Instead using app passwords (Difficult to manage) enable “Modern Authentication”. And another thing you can do - enable “Trusted IP Addresses”. You can specify what network sites by ip address you do NOT want MFA to be enabled.

@onerustycar @edgeorge8924

1 Spice up
11

I have users with Office 2010, Does this exclude me from using Modern Auth?

12

No, but they will just have to use the app password while your 2016 users will just use their passwords

Also works on IOS native app, and Outlook mobile app on IOS and droid.

Second the usage of trusted IPs, just set your WANs as safe and MFA won’t be enforced!

13

Looks like we will be using the Microsoft built in MFA. We recently lost power at our office for 4 days and E-Mail was the only service that we had working. If we tie E-Mail into Duo which is in our office, we would have lost that as well.

I will look into Modern Auth and Trusted IPs. Thanks for all the replies.