Moving from DUO MFA

Dean_Gross depends what they are using it for. e.g. integrated with ADFS, VPN, web forms etc. Look at all the integration points, see how each of those can be integrated with Azure AD MFA (e.g. does your firewall vendor support it if using VPN). Decide what token types you will allow (if using duo app, having the MS authenticator app as well may get confusing, so you could start with just SMS).

Also don't enforce MFA, use conditional access based MFA as it is far more flexible. Create a rule requiring e.g. MFA from external locations, and just apply it to a test group. Look at the user experience - they will get prompted to register when they next sign in to office.com.

Azure AD is great for anything in Office 365 obviously, and also anything you integrate with Azure AD SSO. The on-prem integrations will be the tricky part.