Forum Discussion
Move From Duo SSO to Azure Entra ID MFA (synched from ADDS on-prem)
Hello,
I have Duo set up to MFA users for RD gateway for remote connections from outside to an on-prem gateway server, RD web, and several SaaS apps that integrate with SAML including our Microsoft 365 user logins to Duo SSO. We have ADDS on-prem and sync users up to Azure through the AD Connect.
I am trying to find clear answers on how to cut back over from Duo SSO to start using Azure's MFA solution. Do we cut over one thing at a time or do all cut over because all our users authenticate with our on-prem AD synched up to Azure already?
I understand we use conditional access policies, but I don't know how to cut over to Azure MFA from Duo. Microsoft Learn documents talk about how great it is but never provide actual steps so that users begin to MFA with Azure (Duo uses a Powershell script and also provides secret/integration keys, for example). I am hoping someone has gone through the process that could point in the right direction to get us back to Azure MFA instead of using Duo SSO.
Thanks!
B
- Joe StockerBronze ContributorI work for a Microsoft Partner who has done a lot of these DUO MFA to Microsoft Authenticator migrations. I'll do my best to summarize the key points and provide the documentation here.
Since you stated you have conditional access, that means you have Entra P1 (for all users who will use Conditional Access).
If you have Entra P2 you can use the MFA Registration feature, which is nice because it gives users a 14-day grace period to enroll into MFA (they can skip if they are not ready). You can target a group of users with this method.
Otherwise, for P1 you'll need to send an email to your users asking them to enroll into Microsoft Authenticator App, for example, by guiding them to this page: https://aka.ms/mysecurityinfo
There are end-user communication guides available that show them screen shots of the experience for download here: https://www.microsoft.com/en-us/download/details.aspx?id=57600
There is a general deployment guide for Admins available here:
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-getstarted
After the users you have targeted with the email communications have enrolled into MFA then you can do a phased migration by putting pilot users into a Group, and then create a new conditional access policy that uses that group and then in the Grant control use the Require MFA (which will use the Authenticator App instead of DUO). Exclude this group from the DUO Conditional Access Policy.
You can view a report to make sure all users have registered into Authenticator App here:
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-reporting
You may want to consider waiting until Passkeys rollout which is expected in April 2024 according to the Roadmap here:
https://www.microsoft.com/en-us/microsoft-365/roadmap?rtc=1&filters=&searchterms=passkey
When that is done, then you can target that RDP Gateway server. To do that you'll need to spin up a separate VM running Microsoft NPS and the MFA extension as detailed here:
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension-rdg- RKONJoeCopper Contributor
Microsoft says that, " Every edition of Microsoft Entra ID includes Microsoft Entra multifactor authentication. No other license is needed for a registration campaign." This is in the Prerequisites for the registration campaign documentation. Link.
Are you looking somewhere else? it would suck if it required a P2
Joe