Duo adds two-factor authentication to Outlook Web App (OWA) logins, offering inline self-service enrollment and authentication with Duo Universal Prompt.
Video shows Duo for OWA v1.x installation experience. Please read this page in its entirety for the current v2.x installation instructions.
Check your server versions before starting. These instructions are for Exchange Server 2013 and 2016, running on Windows Server 2012 or newer, and Exchange Server 2019, running on Server 2019 or newer.
Duo for Microsoft OWA also requires the .NET Framework 4.7.1 or later runtime installed on your Exchange server.
Duo's two-factor solution for OWA 2010 reached its last day of support on February 15, 2021. Microsoft Exchange 2010 reached the end of support on October 13, 2020. Do not attempt to install Duo's OWA application for Exchange 2013 and later on an Exchange 2010 server. Plan your migration to a supported Exchange version.
This application communicates with Duo's service on SSL TCP port 443.
Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review Duo Knowledge Base article 1337.
Effective June 30, 2023, Duo no longer supports TLS 1.0 or 1.1 connections or insecure TLS/SSL cipher suites. See Duo Knowledge Base article 7546 for additional guidance.
Effective June 30, 2023, Duo no longer supports TLS 1.0 or 1.1 connections or insecure TLS/SSL cipher suites.
Duo for OWA v1.3.3 supports TLS 1.2 when installed on Exchange servers running a version of Windows that also supports and uses TLS 1.2 or higher.
Duo for OWA v2.0.0 and later require TLS 1.2 as the minimum version.
See the article Guide to TLS support for Duo applications and TLS 1.0 and 1.1 end of support for more information.
Before moving on to the deployment steps, it's a good idea to familiarize yourself with Duo administration concepts and features like options for applications, available methods for enrolling Duo users, and Duo policy settings and how to apply them. See all Duo Administrator documentation.
The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!
The new Universal Prompt provides a simplified and accessible Duo login experience for web-based applications, offering a redesigned visual interface with security and usability enhancements.
|Universal Prompt||Traditional Prompt|
Migration to Universal Prompt for your Microsoft OWA application is a three-step process:
Before you activate the Universal Prompt for your application, it's a good idea to read the Universal Prompt Update Guide for more information about the update process and the new login experience for users.
When you install the latest version of OWA you're ready to use the Universal Prompt. If you're configuring Microsoft OWA now, proceed with the installation instructions in this document.
The "Universal Prompt" area of the application details page shows that this application is "New Prompt Ready", with these activation control options:
OWA needs a software update installed to support the Universal Prompt. The "Universal Prompt" section of your existing Microsoft OWA application reflects this status as "App Update Ready". To update OWA application to a newer version, follow the update directions below.
Once a user authenticates to OWA via the updated Duo plugin, the "Universal Prompt" section of the Microsoft OWA application page reflects this status as "New Prompt Ready", with these activation control options:
In addition, the "Integration key" and "Secret key" property labels for the application update to "Client ID" and "Client secret" respectively. The values for these properties remain the same.
Activation of the Universal Prompt is a per-application change. Activating it for one application does not change the login experience for your other Duo applications.
Enable the Universal Prompt experience by selecting Show new Universal Prompt, and then scrolling to the bottom of the page to click Save.
Once you activate the Universal Prompt, the application's Universal Prompt status shows "Update Complete" here and on the Universal Prompt Update Progress report.
Should you ever want to roll back to the traditional prompt, you can return to this setting and change it back to Show traditional prompt.
Click the See Update Progress link to view the Universal Prompt Update Progress report. This report shows the update availability and migration progress for all your Duo applications in-scope for Universal Prompt support. You can also activate the new prompt experience for multiple supported applications from the report page instead of visiting the individual details pages for each application.
Try setting your application's New User Policy to "Allow Access" while testing. Users that Duo knows about will be prompted to authenticate with Duo, while all other users will be transparently let through.
Users that have a phone (or hardware token) associated with them will see the authentication prompt. All other users will be able to add their phone through Duo's self-service enrollment (see Test Your Setup).
Then (when you're ready) change the "New user policy" to "Require Enrollment." This will prompt all users to authenticate (or enroll) after they type in their usernames and passwords.
Install Duo on the Microsoft Exchange Server instances running the Exchange 2010/2013 Client Access Server role or the Exchange 2016/2019 Client Access services. The installation process varies slightly depending on how many Client Access servers you have. The Duo installer stops and then restarts IIS services on your Exchange servers automatically.
Launch the Duo Security installer MSI from an elevated command prompt (right-click "Command Prompt" and select the "Run as Administrator" option). Accept the license agreement and continue.
Enter your Client ID (formerly called the Integration key), Client secret (formerly called the Secret key), and API hostname from the Duo Security OWA application page when prompted.
If the Bypass Duo authentication when offline option is unchecked, then Duo for AD FS will "fail closed" when Duo Security cloud services are unreachable and users will not be able to access protected federated resources. Check the box if you want users to be able to access protected applications without Duo authentication if Duo's cloud service is unreachable. This setting can be changed post-install from the registry.
Duo for OWA sends a user's Windows
sAMAccountName to Duo's service by default. To send the
userPrincipalName to Duo instead, check the Send username to Duo in UPN format box. For this to work, OWA and ECP must be using Forms-Based Authentication (FBA). Learn how to enable FBA for Exchange at Microsoft TechNet.
If you enable the UPN username format option, you must also change the properties of your OWA application in the Duo Admin Panel to change the "Username normalization" setting to None. Otherwise, Duo drops the domain suffix from the username sent from OWA to our service, which may cause user mismatches or duplicate enrollment.
If you only have one Exchange Server running the Client Access Server role, select the option to automatically generate a new key. However, if you have multiple Client Access Server servers then you should manually generate a random string at least 40 characters long, and use the same string as the session key during installation on each of the servers.
For example, you could use the following PowerShell commands to generate a suitable session key:
$bytes = new-object "System.Byte" 30 (new-object System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes($bytes) [Convert]::ToBase64String($bytes)
Complete the Duo installation. The installer stops and then restarts IIS services automatically.
To test your setup, log into OWA. Successful verification of your username and password redirects you to Duo. Complete Duo two-factor authentication when prompted and then you'll return to OWA to complete the login process.
*Universal Prompt experience shown.
If you plan to permit use of WebAuthn authentication methods (security keys, U2F tokens, or Touch ID) in the traditional Duo Prompt, Duo recommends configuring allowed hostnames for this application and any others that show the inline Duo Prompt before onboarding your end-users.
The Duo Universal Prompt has built-in protection from unauthorized domains so this setting does not apply.
If your organization offloads SSL requests to OWA via a load balancer, please see the FAQ for additional Duo configuration instructions.
You can upgrade your Duo installation over the existing version; there's no need to uninstall first. Note that the installer restarts IIS services.
If you're upgrading from a v1.x plugin to a v2.x plugin then verify you have also installed the .NET Framework 4.7.1 or later runtime on your Exchange server.
Follow the on-screen prompts to complete the upgrade installation.
The installer now defaults the Bypass Duo authentication when offline option to off when upgrading from v1.x to v2.0.0. If you want to allow users access to OWA without 2FA when Duo's service can't be reached then select this option during your upgrade install. Upgrades from v2.0.0 to future releases will preserve your choice.
Repeat the upgrade on all your Exchange client access servers.