In this blog, we’ll walk through how to configure Cisco Duo as an EAM within Microsoft Entra ID, highlight key prerequisites and limitations, and share important considerations for real-world deployments.
What is an External Authentication Method?
An External Authentication Method lets users authenticate using an external MFA provider (like Duo) while keeping the identity source in Microsoft Entra ID. This contrasts with federation, where the identity is managed entirely by an external identity provider.
In a blog I published a year ago, I demonstrated how to federate authentication for MFA and passwordless sign-in using Beyond Identity.
EAMs are designed to fulfill MFA requirements in the following scenarios:
- Conditional Access policies
- Microsoft Entra ID Protection risk-based policies
- Privileged Identity Management (PIM) activations
- Applications requiring MFA directly
📌 Note: EAMs require a Microsoft Entra ID P1 license or higher.
Prerequisites
To enable this setup, ensure the following:Admin Account for Setup:
A designated Entra ID admin service account with Global Administrator or Privileged Role Administrator rights is required during the Duo integration. You may reduce its privileges post-configuration.
Consider Entra ID baseline MFA policies(using Microsoft authenticator App) for admin accounts during the setup phase.
Note: It’s always a best practice to exclude Break Glass and Global Administrator accounts from External Authentication Methods, or to configure backup authentication options in case the EAM provider experiences outages or issues.
Configuring Cisco Duo as an External Authentication Method
Step 1: Prepare Metadata (Duo Setup)
Before setting up, gather Duo-provided metadata required for integration.1. Create a Duo Account
Log in to the Duo Admin Panel and go to:
Applications → Protect an Application.
3.Add the Microsoft Entra EAM Application
Duo requires read access to your Microsoft Entra ID tenant.
Click the Authorize button to open the Microsoft login portal.
Complete MFA (if required).Check "Consent on behalf of your organization"
Once done, You’ll then be redirected back to the Duo Admin Panel.
- By default, no users can access new Duo applications.
Update the User Access setting to allow:
All users, or
⚠️ Ensure your test user is granted access before beginning the configuration.
You can now modify application settings such as:
- Changing the default app name
- Enabling self-service
- Assigning a group policy
If you make changes, be sure to click Save.
Step 2: EAM Setup in Microsoft Entra Admin Center
Log in to your Entra ID tenant at https://entra.microsoft.com using a Global Administrator or Privileged Role Administrator
Note: If you’re using the Azure portal (https://portal.azure.com), navigation will differ slightly.
Navigate to Authentication Methods Policy
Go to Protection → Authentication Methods → Policies
Select Microsoft Entra ID → Security → Authentication Methods → Policies
The name must be unique within your Entra tenant
It cannot be changed after creation
This name will appear to users during authentication selection
Retrieve Integration Details from Duo Admin Panel
In the Duo Admin Panel (on the Microsoft Entra ID: External Authentication Methods application page):
- Copy the Client ID and paste it into the Client ID field in Entra ID
- Copy the Discovery Endpoint and paste it into the Discovery Endpoint field
- Copy the App ID and paste it into the App ID field in Entra ID
To scope it to specific groups:
Click + Add Target under the Include tabSelect Choose Targets
On the “Add directory members” page, choose one or more Entra ID groups
Click Select to confirm your selection
In our case, I’ll scope this External Authentication Method to a group I created specifically for this demo, named Duo-MFA-Users.
Save the Configuration
The External Authentication Method is now successfully added and appears under the Authentication Methods Policies section.
Step-3 Create Conditional Access Policy to use Duo MFA
If no Conditional Access (CA) policy currently exists to enforce user MFA, you'll need to create a new one. You can target All users, excluding Break Glass accounts, or apply the policy to a specific group. For this test, I’ll target the same group we used for the EAM policy — the Duo-MFA-Users group.
In the Microsoft Entra Admin Center: Go to Conditional Access from the left-hand menu, then click + Create New Policy.
In the Azure portal: Navigate to Security → Conditional Access → Policies.- Users or Groups: Assign to specific Entra ID users or security groups ,in our case will choose Duo-MFA-Users
- Cloud Apps or Actions: Target specific apps or All Cloud Apps, Will Choose All Cloud Apps
- Conditions: Apply filters like device platform, locations, or sign-in risk
⚠️Avoid assigning the policy to all users or all apps initially. To prevent locking out administrators, verify Duo MFA functionality with test users before applying the policy more broadly.
Exclude Break Glass Admins
- Use a strong password
- Protect access using a condition like trusted locations
- Do not include this account in EAM-targeted groups
Set Access Controls
- Under Access Controls → Grant, select Grant access
- Check Require multifactor authentication
- Click Select to apply the changes
Step-4 Disabling Microsoft Authenticator When Using Cisco Duo for MFA
If you're planning to standardize Duo as your MFA provider, you may want to prevent Microsoft Entra ID from prompting users to register the Microsoft Authenticator app. However, ensure administrators have at least one Microsoft-native authentication method enabled as a backup for emergency access.
1. Disable the Registration Campaign
In the Microsoft Entra Admin Center, navigate to:Protection → Authentication Methods → Registration Campaign
Click Edit, set the State to Disabled, and click Save.
💡 Alternatively, you can keep the campaign enabled and exclude any user groups covered by the Duo MFA Conditional Access policy.In our case will exclude our Duo-MFA-Users Group
2.Turn Off System-Preferred MFA
Go to Protection → Authentication Methods → Settings → System Preferred Multifactor AuthenticationClick Edit, set the State to Disabled, and click Save.
In our case will exclude our Group Duo-MFA-Users
3. Disable Microsoft Authenticator
Navigate to Protection → Authentication Methods → PoliciesClick on Microsoft Authenticator
In the Enable and Target tab, toggle Enable to Off
Use the Exclude tab to block users who should not register Authenticator
Click Save to apply the changes.
In our case will exclude our Duo-MFA-Users Group from using Microsoft authenticator application
Confirm Authentication Methods Policy Migration Status
In the Entra ID admin center, go to:
Protection → Authentication Methods → Policies, then click Manage Migration to view your current status.
- Pre-migration: Legacy MFA and the new authentication methods policy are both active.
- Migration in Progress: Legacy MFA, SSPR, and authentication methods policies all apply.
If Microsoft Authenticator or other methods are enabled in any active policy, users will see them during sign-in. To enforce Duo EAM as the only method, complete the migration to the modern authentication methods policy.
See Microsoft’s guide on policy migration.
Temporarily Restrict Methods (If Migration Isn’t Complete)
For Pre-migration: Go to Users → All Users → Per-user MFA Click Service Settings
Uncheck unwanted verification methods and save Applies tenant-wide until migration is completeFor Migration in Progress:
Go to Users → Password reset → Authentication methods Disable undesired methods for users with SSPR enabledTo check SSPR users:
Go to Protection → Password reset → Properties
⚠️ If SSPR is required, at least one Microsoft-supported method must remain available alongside Duo EAM
Validating Duo EAM Policy
Now, let’s test the EAM authentication with a new user. Go to any Microsoft 365 portal and sign in using the user's username and password.
After clicking the Continue button, the user is redirected to the Duo Push page, where a push notification is sent to their Duo Mobile app for approval.
Once the push notification is approved, Duo prompts to save the browser for future MFA exceptions. I selected No and clicked Continue to proceed.
In the current preview, all users included in an EAM target group are considered MFA-capable and can use the external authentication method to satisfy MFA requirements. However, these users are not reflected in authentication method registration reports.
Note:
Microsoft is actively working on adding registration support for EAMs. Once this feature is released, users will need to register the EAM with Entra ID before it can be used for MFA prompts.
As of now, users cannot add or manage External Authentication Methods (EAM) from the Security Info page. Similarly, administrators are also unable to add EAMs from the user profile in the Entra admin center.
Known Limitations & Considerations with Cisco Duo
Here are some important limitations to consider when using Cisco Duo as an external authentication method:
Bypass Settings Can Block Access
- Users with Duo "Bypass" status (through groups, policies, or allowed networks) may fail authentication in Entra ID, as no valid MFA claim is received. Ensure such users are not targeted by Conditional Access requiring Duo MFA.
- Sessions that bypass active Duo prompts via remembered devices are still treated as valid MFA by Microsoft Entra ID.
- Duo EAM currently does not support external guest users signing in via B2B collaboration.
Cross-tenant access via Duo only works when:
- The target tenant trusts MFA claims from the user’s home tenant.
- The user has already authenticated in their home tenant and received a valid MFA claim.
- While Azure Government tenants support Entra EAM, Duo Federal is not available in GCC High. Therefore, GCC High customers cannot use Duo as an EAM.
Conclusion
The integration of Cisco Duo as an External Authentication Method (EAM) in Microsoft Entra ID represents a significant step forward for organizations seeking customizable and secure MFA experiences without shifting identity control outside Entra ID.
While still in private preview, the EAM feature unlocks powerful possibilities for enhancing identity protection, enforcing Conditional Access, and securing privileged operations with familiar third-party tools like Duo. As with any evolving capability, it’s important to stay aware of current limitations and plan your deployment strategy accordingly.
By combining Duo’s proven MFA capabilities with Entra ID’s robust identity framework, you can build a more resilient, flexible, and user-centric security posture,ready for today’s hybrid and multi-cloud environments.
0 Comments