Moving from DUO MFA

%3CLINGO-SUB%20id%3D%22lingo-sub-1041375%22%20slang%3D%22en-US%22%3EMoving%20from%20DUO%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1041375%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EWe%20have%20a%20client%20that%20wants%20to%20move%20from%20DUO%20MFA%20to%20Azure%20MFA.%20Is%20anyone%20aware%20of%20any%20technical%20issues%20that%20we%20should%20be%20prepared%20to%20handle%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1041375%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1041734%22%20slang%3D%22en-US%22%3ERe%3A%20Moving%20from%20DUO%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1041734%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1096%22%20target%3D%22_blank%22%3E%40Dean%20Gross%3C%2FA%3E%26nbsp%3Bdepends%20what%20they%20are%20using%20it%20for.%20e.g.%20integrated%20with%20ADFS%2C%20VPN%2C%20web%20forms%20etc.%20Look%20at%20all%20the%20integration%20points%2C%20see%20how%20each%20of%20those%20can%20be%20integrated%20with%20Azure%20AD%20MFA%20(e.g.%20does%20your%20firewall%20vendor%20support%20it%20if%20using%20VPN).%20Decide%20what%20token%20types%20you%20will%20allow%20(if%20using%20duo%20app%2C%20having%20the%20MS%20authenticator%20app%20as%20well%20may%20get%20confusing%2C%20so%20you%20could%20start%20with%20just%20SMS).%3C%2FP%3E%3CP%3EAlso%20don't%20enforce%20MFA%2C%20use%20conditional%20access%20based%20MFA%20as%20it%20is%20far%20more%20flexible.%20Create%20a%20rule%20requiring%20e.g.%20MFA%20from%20external%20locations%2C%20and%20just%20apply%20it%20to%20a%20test%20group.%20Look%20at%20the%20user%20experience%20-%20they%20will%20get%20prompted%20to%20register%20when%20they%20next%20sign%20in%20to%20office.com.%3C%2FP%3E%3CP%3EAzure%20AD%20is%20great%20for%20anything%20in%20Office%20365%20obviously%2C%20and%20also%20anything%20you%20integrate%20with%20Azure%20AD%20SSO.%20The%20on-prem%20integrations%20will%20be%20the%20tricky%20part.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1054816%22%20slang%3D%22en-US%22%3ERe%3A%20Moving%20from%20DUO%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1054816%22%20slang%3D%22en-US%22%3EAssuming%20O365%2C%20my%20understanding%20of%20Duo%20is%20that%20it%20integrates%20using%20federation%2C%20with%20the%20Duo%20Access%20Gateway%20acting%20as%20the%20IDP%20in%20place%20of%20traditional%20ADFS.%3CBR%20%2F%3E%3CBR%20%2F%3EWhilst%20not%20a%20technical%20%E2%80%9Cissue%E2%80%9D%2C%20the%20net%20result%20of%20this%20is%20that%20you%20will%20need%20to%20cut%20over%20in%20much%20the%20same%20way%20as%20a%20migration%20away%20from%20ADFS.%20From%20a%20user%20perspective%20this%20has%20the%20potential%20to%20be%20disruptive%20given%20the%20change%20in%20experience%2C%20and%20need%20to%20register%20for%20Azure%20MFA%20in%20place%20of%20Duo.%20You%20can%20ease%20this%20in%20two%20ways%3A%3CBR%20%2F%3E%3CBR%20%2F%3E-%20Get%20users%20to%20pre-register%20for%20Azure%20MFA%20via%20aka.ms%2Fmfasetup%3CBR%20%2F%3E-%20Consider%20using%20the%20new%20staged%20rollout%20feature%20to%20support%20a%20phased%20migration%20of%20users.%20You%20can%20configure%20Azure%20AD%20as%20the%20authentication%20source%20in%20place%20of%20the%20Duo%20IDP%20for%20a%20select%20group.%20Add%20users%20to%20this%20group%20bit%20by%20bit%2C%20removing%20federation%20altogether%20when%20you%20have%20the%20bulk%20migrated.%3CBR%20%2F%3E%3CBR%20%2F%3EAs%20I%20say%2C%20not%20%E2%80%9Cissues%E2%80%9D%20per%20se%2C%20but%20hopefully%20a%20couple%20of%20things%20that%20will%20help%20you%20on%20your%20way...%20this%20assumes%20O365%20is%20the%20only%20integration%20of%20Duo.%20In%20line%20with%20the%20previous%20reply%20there%20will%20be%20other%20considerations%20for%20other%20services%20leveraging%20Duo.%3CBR%20%2F%3E%3CBR%20%2F%3EDo%20you%20have%20a%20lot%20of%20things%20you%20need%20to%20move%20across%20aside%20from%20O365%3F%20We%20can%20likely%20give%20you%20some%20additional%20things%20to%20consider%20if%20we%20understand%20what%20you%20are%20using%20Duo%20for%20today%20%3Athumbs_up%3A%3CBR%20%2F%3E%3CBR%20%2F%3EKelvin%3C%2FLINGO-BODY%3E
Dean Gross
Respected Contributor

We have a client that wants to move from DUO MFA to Azure MFA. Is anyone aware of any technical issues that we should be prepared to handle?

2 Replies
Highlighted

@Dean Gross depends what they are using it for. e.g. integrated with ADFS, VPN, web forms etc. Look at all the integration points, see how each of those can be integrated with Azure AD MFA (e.g. does your firewall vendor support it if using VPN). Decide what token types you will allow (if using duo app, having the MS authenticator app as well may get confusing, so you could start with just SMS).

Also don't enforce MFA, use conditional access based MFA as it is far more flexible. Create a rule requiring e.g. MFA from external locations, and just apply it to a test group. Look at the user experience - they will get prompted to register when they next sign in to office.com.

Azure AD is great for anything in Office 365 obviously, and also anything you integrate with Azure AD SSO. The on-prem integrations will be the tricky part.

Highlighted
Assuming O365, my understanding of Duo is that it integrates using federation, with the Duo Access Gateway acting as the IDP in place of traditional ADFS.

Whilst not a technical “issue”, the net result of this is that you will need to cut over in much the same way as a migration away from ADFS. From a user perspective this has the potential to be disruptive given the change in experience, and need to register for Azure MFA in place of Duo. You can ease this in two ways:

- Get users to pre-register for Azure MFA via aka.ms/mfasetup
- Consider using the new staged rollout feature to support a phased migration of users. You can configure Azure AD as the authentication source in place of the Duo IDP for a select group. Add users to this group bit by bit, removing federation altogether when you have the bulk migrated.

As I say, not “issues” per se, but hopefully a couple of things that will help you on your way... this assumes O365 is the only integration of Duo. In line with the previous reply there will be other considerations for other services leveraging Duo.

Do you have a lot of things you need to move across aside from O365? We can likely give you some additional things to consider if we understand what you are using Duo for today :thumbs_up:

Kelvin