Microsoft Entra External Authentication Method (EAM) Explained: Integrate Cisco Duo for Secure and Flexible MFA

With the increasing need for flexible and secure multifactor authentication (MFA) solutions, Microsoft Entra ID now supports External Authentication Methods (EAM)  allowing organizations to integrate third-party MFA providers like Cisco Duo directly into the authentication flow.

In this blog, we’ll walk through how to configure Cisco Duo as an EAM within Microsoft Entra ID, highlight key prerequisites and limitations, and share important considerations for real-world deployments.

What is an External Authentication Method?

An External Authentication Method lets users authenticate using an external MFA provider (like Duo) while keeping the identity source in Microsoft Entra ID. This contrasts with federation, where the identity is managed entirely by an external identity provider.

In a blog I published a year ago, I demonstrated how to federate authentication for MFA and passwordless sign-in using Beyond Identity.

EAMs are designed to fulfill MFA requirements in the following scenarios:

• Conditional Access policies
• Microsoft Entra ID Protection risk-based policies
• Privileged Identity Management (PIM) activations
• Applications requiring MFA directly

📌 Note: EAMs require a Microsoft Entra ID P1 license or higher.

 Prerequisites

To enable this setup, ensure the following:

Licensing:

Entra ID P1 or P2 license assigned to each user authenticating via Duo. Plans like Microsoft 365 E3/E5/F3, EMS E3/E5, and Business Premium include P1.

Admin Account for Setup:
A designated Entra ID admin service account with Global Administrator or Privileged Role Administrator rights is required during the Duo integration. You may reduce its privileges post-configuration. 

MFA for Admin Account:
Consider Entra ID baseline MFA policies(using Microsoft authenticator App) for admin accounts during the setup phase.

Note: It’s always a best practice to exclude Break Glass and Global Administrator accounts from External Authentication Methods, or to configure backup authentication options in case the EAM provider experiences outages or issues.

Configuring Cisco Duo as an External Authentication Method

Step 1: Prepare Metadata (Duo Setup)

Before setting up, gather Duo-provided metadata required for integration.

1. Create a Duo Account

If you haven’t already, sign up for a Duo account.

2. Access the Duo Admin Panel
Log in to the Duo Admin Panel and go to:
Applications → Protect an Application.

3.Add the Microsoft Entra EAM Application

Find and select "Microsoft Entra ID: External Authentication Methods" from the list of available applications and choose Protect.

4. Authorize Duo to Access Entra ID
Duo requires read access to your Microsoft Entra ID tenant.
Click the Authorize button to open the Microsoft login portal.

Grant Permissions in Microsoft Entra ID

Sign in using your designated Entra ID administrator account
Complete MFA (if required).Check "Consent on behalf of your organization"

Click Accept to grant Duo the necessary permissions

Once done, You’ll then be redirected back to the Duo Admin Panel.

5.Enable User Access

• By default, no users can access new Duo applications.

• Update the User Access setting to allow:

All users, or

Only selected Duo groups

⚠️ Ensure your test user is granted access before beginning the configuration.

In our case, I will select "Enable for all users."

6.Configure Application Settings (Optional)
You can now modify application settings such as:

• Changing the default app name
• Enabling self-service
• Assigning a group policy

If you make changes, be sure to click Save.

Leave the Duo Admin Panel Open

Keep the page open  you’ll need to copy information from Duo into the Microsoft Entra ID Admin Center in the following steps.

Step 2: EAM Setup in Microsoft Entra Admin Center

Log in to your Entra ID tenant at https://entra.microsoft.com using a Global Administrator or Privileged Role Administrator 

Note: If you’re using the Azure portal (https://portal.azure.com), navigation will differ slightly.

Navigate to Authentication Methods Policy
Go to Protection → Authentication Methods → Policies

In Azure Portal:

Select Microsoft Entra ID → Security → Authentication Methods → Policies

Add a New External Method Click + Add External Method.

Configure Basic Details: On the Add External Method page, enter a descriptive name for the Duo method.

The default is “Cisco Duo”, but you can provide any name meaningful to your users.

Important:
The name must be unique within your Entra tenant
It cannot be changed after creation

This name will appear to users during authentication selection

Retrieve Integration Details from Duo Admin Panel

In the Duo Admin Panel (on the Microsoft Entra ID: External Authentication Methods application page):

• Copy the Client ID and paste it into the Client ID field in Entra ID
• Copy the Discovery Endpoint and paste it into the Discovery Endpoint field
• Copy the App ID and paste it into the App ID field in Entra ID

Enable the Method

To activate the Duo method immediately, toggle the Enable setting from Off to On.

Target Specific Users or Groups (Optional)

By default, the method is applied to all users in your tenant.

To scope it to specific groups: 

Click + Add Target under the Include tab
Select Choose Targets
On the “Add directory members” page, choose one or more Entra ID groups

Click Select to confirm your selection

In our case, I’ll scope this External Authentication Method to a group I created specifically for this demo, named Duo-MFA-Users. 

Save the Configuration

The External Authentication Method is now successfully added and appears under the Authentication Methods Policies section.

Step-3 Create Conditional Access Policy to use Duo MFA

If no Conditional Access (CA) policy currently exists to enforce user MFA, you'll need to create a new one. You can target All users, excluding Break Glass accounts, or apply the policy to a specific group. For this test, I’ll target the same group we used for the EAM policy — the Duo-MFA-Users group.

In the Microsoft Entra Admin Center: Go to Conditional Access from the left-hand menu, then click + Create New Policy.

In the Azure portal: Navigate to Security → Conditional Access → Policies.

Name the Policy Enter a meaningful name for the policy  ,for example: EAM-Cisco-Duo-MFA. 

Configure Assignments 

Define who and what the policy should apply to:

• Users or Groups: Assign to specific Entra ID users or security groups ,in our case will choose Duo-MFA-Users

• Cloud Apps or Actions: Target specific apps or All  Cloud Apps, Will Choose All Cloud Apps
• Conditions: Apply filters like device platform, locations, or sign-in risk

⚠️Avoid assigning the policy to all users or all apps initially. To prevent locking out administrators, verify Duo MFA functionality with test users before applying the policy more broadly.

Exclude Break Glass Admins

Always exclude at least one fail-safe administrator account(Break Glass Account) from Duo MFA and Conditional Access policies.

Also Use:

• Use a strong password 
• Protect access using a condition like trusted locations
• Do not include this account in EAM-targeted groups

• Set Access Controls

• Under Access Controls → Grant, select Grant access
• Check Require multifactor authentication
• Click Select to apply the changes

Save the Policy

After completing your configuration, save the policy and proceed with testing.

Step-4 Disabling Microsoft Authenticator When Using Cisco Duo for MFA

If you're planning to standardize Duo as your MFA provider, you may want to prevent Microsoft Entra ID from prompting users to register the Microsoft Authenticator app. However, ensure administrators have at least one Microsoft-native authentication method enabled as a backup for emergency access.

 1. Disable the Registration Campaign

In the Microsoft Entra Admin Center, navigate to:
Protection → Authentication Methods → Registration Campaign
Click Edit, set the State to Disabled, and click Save.

💡 Alternatively, you can keep the campaign enabled and exclude any user groups covered by the Duo MFA Conditional Access policy.

In our case will exclude our Duo-MFA-Users Group

2.Turn Off System-Preferred MFA

Go to Protection → Authentication Methods → Settings → System Preferred Multifactor Authentication

Click Edit, set the State to Disabled, and click Save.

In our case will exclude our Group Duo-MFA-Users

3. Disable Microsoft Authenticator

Navigate to Protection → Authentication Methods → Policies
Click on Microsoft Authenticator

In the Enable and Target tab, toggle Enable to Off

 If you want to keep Microsoft Authenticator available for emergency administrator access, you can leave it enabled and instead:

Use the Include tab to target specific admin groups
Use the Exclude tab to block users who should not register Authenticator

Click Save to apply the changes.

In our case will exclude our Duo-MFA-Users Group from using Microsoft authenticator application

Confirm Authentication Methods Policy Migration Status

In the Entra ID admin center, go to:
Protection → Authentication Methods → Policies, then click Manage Migration to view your current status.

• Pre-migration: Legacy MFA and the new authentication methods policy are both active.
• Migration in Progress: Legacy MFA, SSPR, and authentication methods policies all apply.

If Microsoft Authenticator or other methods are enabled in any active policy, users will see them during sign-in. To enforce Duo EAM as the only method, complete the migration to the modern authentication methods policy.
See Microsoft’s guide on policy migration.

Temporarily Restrict Methods (If Migration Isn’t Complete)

For Pre-migration: Go to Users → All Users → Per-user MFA Click Service Settings

Uncheck unwanted verification methods and save Applies tenant-wide until migration is complete

For Migration in Progress:

Go to Users → Password reset → Authentication methods Disable undesired methods for users with SSPR enabled

To check SSPR users:

Go to Protection → Password reset → Properties

⚠️ If SSPR is required, at least one Microsoft-supported method must remain available alongside Duo EAM

Validating Duo EAM Policy

Now, let’s test the EAM authentication with a new user. Go to any Microsoft 365 portal and sign in using the user's username and password.

Once the password is accepted, the user will see a “Verification required” prompt. Since no other MFA methods are enabled for this user, Entra ID skips the enrollment prompt and directly initiates authentication via the configured External Authentication Method (EAM).

After clicking the Continue button, the user is redirected to the Duo Push page, where a push notification is sent to their Duo Mobile app for approval.

Once the push notification is approved, Duo prompts to save the browser for future MFA exceptions. I selected No and clicked Continue to proceed.

An id_token containing the necessary claims and signature is received from the external authentication provider. Microsoft Entra validates the token, and the user sign-in is successfully completed.

The EAM sign-in flow is illustrated in the image below.

Image Source: Microsoft

In the current preview, all users included in an EAM target group are considered MFA-capable and can use the external authentication method to satisfy MFA requirements. However, these users are not reflected in authentication method registration reports.

Note:
Microsoft is actively working on adding registration support for EAMs. Once this feature is released, users will need to register the EAM with Entra ID before it can be used for MFA prompts.

As of now, users cannot add or manage External Authentication Methods (EAM) from the Security Info page. Similarly, administrators are also unable to add EAMs from the user profile in the Entra admin center.

 Known Limitations & Considerations with Cisco Duo

Here are some important limitations to consider when using Cisco Duo as an external authentication method:

Bypass Settings Can Block Access

• Users with Duo "Bypass" status (through groups, policies, or allowed networks) may fail authentication in Entra ID, as no valid MFA claim is received. Ensure such users are not targeted by Conditional Access requiring Duo MFA.

Remembered Devices Work as Expected

• Sessions that bypass active Duo prompts via remembered devices are still treated as valid MFA by Microsoft Entra ID.

No Guest User Support

• Duo EAM currently does not support external guest users signing in via B2B collaboration.

Cross-Tenant Support is Limited
Cross-tenant access via Duo only works when:

• The target tenant trusts MFA claims from the user’s home tenant.
• The user has already authenticated in their home tenant and received a valid MFA claim.

GCC High Limitations

• While Azure Government tenants support Entra EAM, Duo Federal is not available in GCC High. Therefore, GCC High customers cannot use Duo as an EAM.

Conclusion

The integration of Cisco Duo as an External Authentication Method (EAM) in Microsoft Entra ID represents a significant step forward for organizations seeking customizable and secure MFA experiences without shifting identity control outside Entra ID.

While still in private preview, the EAM feature unlocks powerful possibilities for enhancing identity protection, enforcing Conditional Access, and securing privileged operations with familiar third-party tools like Duo. As with any evolving capability, it’s important to stay aware of current limitations and plan your deployment strategy accordingly.

By combining Duo’s proven MFA capabilities with Entra ID’s robust identity framework, you can build a more resilient, flexible, and user-centric security posture,ready for today’s hybrid and multi-cloud environments.