Azure AD Sign-In errors with 3rd party Conditional Access (Duo) RRS feed

  • Question

  • I have an Azure conditional access policy that requires Duo for 2-factor authentication for All Cloud Apps. In the Azure AD sign-in logs, I see a repeatable pattern of 3 sets of logs for every 1 sign-in (screenshot here)

    • First log stating that the sign-in was a failure because "External security challenge was not satisfied" (screenshot)
    • Second log stating that the sign-in was Interrupted because "this error occurred due to 'Keep me signed in' interrupt when the user was signing-in" (screenshot)
    • Third log stating that the sign-in was actually a success (screenshot)

    Is getting logs stating that there has been a sign-in failure during a successful sign-in an expected behavior of an Azure conditional access policy that requires a 3rd party app for 2-factor authentication?

    Monday, May 20, 2019 6:00 PM

All replies

  • This can happen when you have a conditional access policy that applies to all cloud applications but includes an exclusion for one application. See this article and explanation on Duo's page:
    Tuesday, May 21, 2019 12:09 AM
  • The link you posted specifically refers to Duo Access Gateway (DAG), a server-based solution for Duo. In my case, Duo is a SaaS service providing cloud-based MFA, so no DAG is in the picture.

    Additionally, the link about DAG might seem to suggest that the "All Cloud Apps" inclusion in Azure conditional access policies should not be used with Duo. But another article from Duo specifically says that the "All Cloud Apps" inclusion is necessary to protect Office 365 portal logins with Duo:

    My questions is still open - is there something wrong, or is this pattern in Azure AD sign-in logs to be expected with a properly-configured 3rd party app for MFA?

    Tuesday, May 21, 2019 3:39 AM
  • I'm confirming this with the PG. I think it's expected but I'm not entirely certain since Duo issues are less common.
    Tuesday, May 21, 2019 8:53 PM