Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Moving from DUO MFA

Silver Contributor

We have a client that wants to move from DUO MFA to Azure MFA. Is anyone aware of any technical issues that we should be prepared to handle?

5 Replies

@Dean Gross depends what they are using it for. e.g. integrated with ADFS, VPN, web forms etc. Look at all the integration points, see how each of those can be integrated with Azure AD MFA (e.g. does your firewall vendor support it if using VPN). Decide what token types you will allow (if using duo app, having the MS authenticator app as well may get confusing, so you could start with just SMS).

Also don't enforce MFA, use conditional access based MFA as it is far more flexible. Create a rule requiring e.g. MFA from external locations, and just apply it to a test group. Look at the user experience - they will get prompted to register when they next sign in to office.com.

Azure AD is great for anything in Office 365 obviously, and also anything you integrate with Azure AD SSO. The on-prem integrations will be the tricky part.

Assuming O365, my understanding of Duo is that it integrates using federation, with the Duo Access Gateway acting as the IDP in place of traditional ADFS.

Whilst not a technical “issue”, the net result of this is that you will need to cut over in much the same way as a migration away from ADFS. From a user perspective this has the potential to be disruptive given the change in experience, and need to register for Azure MFA in place of Duo. You can ease this in two ways:

- Get users to pre-register for Azure MFA via aka.ms/mfasetup
- Consider using the new staged rollout feature to support a phased migration of users. You can configure Azure AD as the authentication source in place of the Duo IDP for a select group. Add users to this group bit by bit, removing federation altogether when you have the bulk migrated.

As I say, not “issues” per se, but hopefully a couple of things that will help you on your way... this assumes O365 is the only integration of Duo. In line with the previous reply there will be other considerations for other services leveraging Duo.

Do you have a lot of things you need to move across aside from O365? We can likely give you some additional things to consider if we understand what you are using Duo for today :thumbs_up:

Kelvin

Hi Kelvin et al,

 

I came across this which is the very helpful to our plan of migrating from Duo to Azure MFA.   

 

We are AD FS (2016) federation with Duo integrated as an additional authentication method.   My question is: if it is possible to enable both Duo and Azure MFA on AD FS so we can pilot MFA with a selected group of users while keeping the rest of users unchanged until we are ready to move all? 

 

Thanks in advance,

Yong

Hi@Yong_Zhang ,

My organization is also interested in a phased migration from the Duo ADFS adaptor to Azure MFA, and we too are using ADFS 2016 (Farm Behaviour Level 3, SQL configuration database). I'd be interested in learning any tips you might encounter.

 

One I found was that an upgrade to ADFS 2019 and increasing the FBL to 4 will give you the capability of assigning the MFA on a per-Relying Party Trust basis (https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/whats-new-active-directory-f... "Authentication/Policy capabilities"). This might be the way to go eventually, but I still wonder if there is a way that we can use group-assigned MFA policy per RPT, perhaps via a claims rule.

Hi Everyone
Just seen this post in community hub regarding Migration from Cisco Duo to AZURE AD,and thought of asking this. Literally I was also stuck at the same part like, I was having a client with needy of migrating from Cisco Duo to Azure MFA. Can anyone of you please provide me the detailed approach to it, so the it'll help me for a greater extent.

Thank you in advance,
Looking forward to hear from you soon.