Dec 02 2019 01:06 AM
@Dean Gross depends what they are using it for. e.g. integrated with ADFS, VPN, web forms etc. Look at all the integration points, see how each of those can be integrated with Azure AD MFA (e.g. does your firewall vendor support it if using VPN). Decide what token types you will allow (if using duo app, having the MS authenticator app as well may get confusing, so you could start with just SMS).
Also don't enforce MFA, use conditional access based MFA as it is far more flexible. Create a rule requiring e.g. MFA from external locations, and just apply it to a test group. Look at the user experience - they will get prompted to register when they next sign in to office.com.
Azure AD is great for anything in Office 365 obviously, and also anything you integrate with Azure AD SSO. The on-prem integrations will be the tricky part.
Dec 08 2019 11:09 AM - edited Dec 08 2019 11:12 AM
Mar 21 2020 01:43 PM - edited Mar 21 2020 01:44 PM
Hi Kelvin et al,
I came across this which is the very helpful to our plan of migrating from Duo to Azure MFA.
We are AD FS (2016) federation with Duo integrated as an additional authentication method. My question is: if it is possible to enable both Duo and Azure MFA on AD FS so we can pilot MFA with a selected group of users while keeping the rest of users unchanged until we are ready to move all?
Thanks in advance,
Mar 29 2020 01:46 AM
My organization is also interested in a phased migration from the Duo ADFS adaptor to Azure MFA, and we too are using ADFS 2016 (Farm Behaviour Level 3, SQL configuration database). I'd be interested in learning any tips you might encounter.
One I found was that an upgrade to ADFS 2019 and increasing the FBL to 4 will give you the capability of assigning the MFA on a per-Relying Party Trust basis (https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/whats-new-active-directory-f... "Authentication/Policy capabilities"). This might be the way to go eventually, but I still wonder if there is a way that we can use group-assigned MFA policy per RPT, perhaps via a claims rule.