Multi domain Office 365 tenant and SSO Federation with DUO Access Gateway (DAG) and Azure AD Connect

This can work, and here’s how:

Conceptually speaking, you already have the following:

• In your single forest and single AD domain, you’ve setup multiple top level (or subdomain) domain aliases, aka Alternative UPN suffixes
• Your users authenticate using their Alt UPN on the domain and to your Office 365 tenant with the same, but don’t get SSO because they’re not on the “primary” Office 365 domain
• You have your Azure AD Connect configured with your single forest single domain and syncing all your users objects into AzureAD/Office365 with no name collisions
• You have your Office365 tenant setup and verified with all the same domains as your UPN suffixes along with proper DNS records for mail flow in and out
• You have your users with those alt UPN domains in DUO, either via the Duo Directory Sync or manually added, with their 2FA’s setup
• You already have your Duo Access Gateway (DAG) deployed and running
• You already have your Primary Office365 domain federated with your DAG using SAML

Technically speaking, Azure AD does support multiple domain federation, but their example here is for ADFS. And if you read through it, you’ll see the federation SSO settings all essentially remains the same, just the URI changes. So that’s what we’re going to do using our single DAG server.

NOTE: Duo now supports SSO (Applications) natively without the use of your Duo Access Gateway, but if you use the native DUO SSO for Office365, you’ll have to setup a new Duo Application for each alt UPN domain in your directory.

Now review DUO’s documentation on this, its important you got it all setup and running with SSO and Federation for your primary Office 365 domain first. Pay attention to the section for “Enable AD Federation to Office 365 using DAG” as you’ll do steps 6–8 multiple times for each UPN domain.

1. You need to create a DNS CNAME for each domain you want to federate with Office365, so for each UPN, in your public DNS add something like upn1DAG.yourPrimaryDomain.com upn2DAG.yourPrimaryDomain.com etc. Each CNAME will just point back to your DAG.yourPrimaryDomain.com of your Duo Access Gateway.
2. Then, in powershell, you’ll just change the variables for the UPN domain you’re federating and re-run the commands — again for each UPN you want to federate. Just update the below variables (step 6) then re-run the Set-MsolDomainAuthentication command (step 8) for each UPN

$dom = “UPN1.com”
$uri = “https://UPN1DAG.upn1.com/dag/saml2/idp/metadata.php"

All other variables remain the same.

When Office365 redirects the user to your SAML endpoint, it’ll use the URL from the metadata config it’ll retrieve from the URI — which will simply be your primary cname for your DAG server.

When you’re done, verify it worked with “Get-MsolDomainFederationSettings -domain UPN1.com” command and test authenticate to O365 with one of your @upn1.com UPN accounts — you should get your DUO SSO.

Another thought, I bet this would probably work with OKTA as well following the same logic.

Good Luck!