Forum Discussion

Dean_Gross's avatar
Dean_Gross
Silver Contributor
Dec 01, 2019

Moving from DUO MFA

We have a client that wants to move from DUO MFA to Azure MFA. Is anyone aware of any technical issues that we should be prepared to handle?

  • CloudHal's avatar
    CloudHal
    Iron Contributor

    Dean_Gross depends what they are using it for. e.g. integrated with ADFS, VPN, web forms etc. Look at all the integration points, see how each of those can be integrated with Azure AD MFA (e.g. does your firewall vendor support it if using VPN). Decide what token types you will allow (if using duo app, having the MS authenticator app as well may get confusing, so you could start with just SMS).

    Also don't enforce MFA, use conditional access based MFA as it is far more flexible. Create a rule requiring e.g. MFA from external locations, and just apply it to a test group. Look at the user experience - they will get prompted to register when they next sign in to office.com.

    Azure AD is great for anything in Office 365 obviously, and also anything you integrate with Azure AD SSO. The on-prem integrations will be the tricky part.

  • Kelvin Papp's avatar
    Kelvin Papp
    Brass Contributor
    Assuming O365, my understanding of Duo is that it integrates using federation, with the Duo Access Gateway acting as the IDP in place of traditional ADFS.

    Whilst not a technical “issue”, the net result of this is that you will need to cut over in much the same way as a migration away from ADFS. From a user perspective this has the potential to be disruptive given the change in experience, and need to register for Azure MFA in place of Duo. You can ease this in two ways:

    - Get users to pre-register for Azure MFA via aka.ms/mfasetup
    - Consider using the new staged rollout feature to support a phased migration of users. You can configure Azure AD as the authentication source in place of the Duo IDP for a select group. Add users to this group bit by bit, removing federation altogether when you have the bulk migrated.

    As I say, not “issues” per se, but hopefully a couple of things that will help you on your way... this assumes O365 is the only integration of Duo. In line with the previous reply there will be other considerations for other services leveraging Duo.

    Do you have a lot of things you need to move across aside from O365? We can likely give you some additional things to consider if we understand what you are using Duo for today 👍

    Kelvin
    • Yong_Zhang's avatar
      Yong_Zhang
      Copper Contributor

      Hi Kelvin et al,

       

      I came across this which is the very helpful to our plan of migrating from Duo to Azure MFA.   

       

      We are AD FS (2016) federation with Duo integrated as an additional authentication method.   My question is: if it is possible to enable both Duo and Azure MFA on AD FS so we can pilot MFA with a selected group of users while keeping the rest of users unchanged until we are ready to move all? 

       

      Thanks in advance,

      Yong

  • Rampavan's avatar
    Rampavan
    Copper Contributor
    Hi Everyone
    Just seen this post in community hub regarding Migration from Cisco Duo to AZURE AD,and thought of asking this. Literally I was also stuck at the same part like, I was having a client with needy of migrating from Cisco Duo to Azure MFA. Can anyone of you please provide me the detailed approach to it, so the it'll help me for a greater extent.

    Thank you in advance,
    Looking forward to hear from you soon.

Resources