- The article explains how to fix a problem where Microsoft Authenticator conflicts with M365 using Duo on phones for MFA.
- The solution is to update the conditional access policies or disable per-user MFA in Azure AD to only require Duo for MFA and not Microsoft Authenticator.
If you use Duo for multi-factor authentication (MFA) with Microsoft 365 (M365) on your phone, you may encounter a problem when you also have Microsoft Authenticator installed. This article will explain what causes this issue and how to resolve it.
What is the problem?
Duo and Microsoft Authenticator are two different apps that provide MFA for your online accounts. MFA adds an extra layer of security to your login process by requiring you to verify your identity with something you have (such as your phone) or something you are (such as your fingerprint) in addition to something you know (such as your password).
When you log in to a Duo-protected M365 app on your phone, such as Outlook or Teams, you expect to receive a push notification from Duo that asks you to approve or deny the login request. However, if you also have Microsoft Authenticator installed on your phone, you may see a different notification from Microsoft Authenticator that asks you to approve or enter a code for MFA. This can be confusing and frustrating, especially if you are not expecting it or if it interferes with the Duo authentication process.
This issue occurs because both Duo and Microsoft Authenticator are configured in Azure Active Directory (Azure AD), which is the identity and access management service for M365. Azure AD supports multiple MFA methods, but it does not automatically detect which one you prefer or which one is compatible with your device. Therefore, it may prompt you to use both Duo and Microsoft Authenticator for MFA, one after the other.
How to fix it?
The solution to this problem is to ensure that your conditional access policies in Azure AD only require Duo for MFA and not Microsoft Authenticator. Conditional access policies are rules that define who can access what resources under what conditions. You can use them to enforce MFA for certain users, devices, apps, or locations.
To check and update your conditional access policies, you need to sign in to the Azure portal as an administrator and follow these steps:
- Go to Azure Active Directory > Security > Conditional Access.
- Select the policy that applies to your M365 apps and users. For example, if you have a policy named “Require MFA for all users”, select that policy.
- Under Assignments, click on Cloud apps or actions and make sure that your M365 apps are included in the list of selected apps. For example, if you want to apply the policy to Outlook and Teams, make sure that they are checked in the list.
- Under Access controls, click on Grant and make sure that Require multi-factor authentication is checked and Require approved client app is unchecked. This will ensure that only Duo is required for MFA and not Microsoft Authenticator.
- Click Save to apply the changes.
Alternatively, you can also disable per-user MFA in Azure AD, which is another way of enabling Microsoft Authenticator for MFA. To do this, follow these steps:
- Go to Azure Active Directory > Users.
- Select the user that you want to disable per-user MFA for.
- Under Manage, click on Authentication methods.
- Under Enabled methods, click on Change.
- Uncheck the box next to Microsoft Authenticator – Notification/Code and click Save.
After updating your conditional access policies or disabling per-user MFA, you should no longer see Microsoft Authenticator prompts when logging in to Duo-protected M365 apps on your phone. You should only see Duo notifications that ask you to approve or deny the login requests.
Frequently Asked Questions (FAQs)
Here are some frequently asked questions related to this topic:
Question: Can I use both Duo and Microsoft Authenticator for MFA?
Answer: Yes, you can use both Duo and Microsoft Authenticator for MFA, but not at the same time or for the same app. You can choose which app to use for each account or service that supports MFA. For example, you can use Duo for M365 and Microsoft Authenticator for Azure or other websites.
Question: Can I use another authenticator app instead of Microsoft Authenticator?
Answer: Yes, you can use another authenticator app instead of Microsoft Authenticator, such as Google Authenticator or Authy. However, these apps only generate one-time passcodes for MFA and do not support push notifications or biometric verification like Duo or Microsoft Authenticator do.
Question: What if I don’t have a smartphone or a tablet?
Answer: If you don’t have a smartphone or a tablet, you can still use Duo for MFA by using a landline phone or a security key. A landline phone can receive phone calls from Duo that ask you to press any key to approve the login request. A security key is a physical device that plugs into your computer’s USB port and verifies your identity by touching it.
Disclaimer: This article is not an official Microsoft or Duo solution and may not work for everyone. Please consult your IT administrator or Duo support before making any changes to your Azure AD settings or MFA methods.