cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Move From Duo SSO to Azure Entra ID MFA (synched from ADDS on-prem)

BSen-High
Copper Contributor

‎Feb 27 2024 01:40 PM

‎Feb 27 2024 01:40 PM

Move From Duo SSO to Azure Entra ID MFA (synched from ADDS on-prem)

Hello,

 

I have Duo set up to MFA users for RD gateway for remote connections from outside to an on-prem gateway server, RD web, and several SaaS apps that integrate with SAML including our Microsoft 365 user logins to Duo SSO. We have ADDS on-prem and sync users up to Azure through the AD Connect.

 

I am trying to find clear answers on how to cut back over from Duo SSO to start using Azure's MFA solution. Do we cut over one thing at a time or do all cut over because all our users authenticate with our on-prem AD synched up to Azure already?

 

I understand we use conditional access policies, but I don't know how to cut over to Azure MFA from Duo. Microsoft Learn documents talk about how great it is but never provide actual steps so that users begin to MFA with Azure (Duo uses a Powershell script and also provides secret/integration keys, for example). I am hoping someone has gone through the process that could point in the right direction to get us back to Azure MFA instead of using Duo SSO.

 

Thanks!

B

852 Views
0 Likes
2 Replies
Reply
2 Replies
Joe Stocker

‎Mar 30 2024 10:26 PM

‎Mar 30 2024 10:26 PM

Re: Move From Duo SSO to Azure Entra ID MFA (synched from ADDS on-prem)

I work for a Microsoft Partner who has done a lot of these DUO MFA to Microsoft Authenticator migrations. I'll do my best to summarize the key points and provide the documentation here.
Since you stated you have conditional access, that means you have Entra P1 (for all users who will use Conditional Access).
If you have Entra P2 you can use the MFA Registration feature, which is nice because it gives users a 14-day grace period to enroll into MFA (they can skip if they are not ready). You can target a group of users with this method.
Otherwise, for P1 you'll need to send an email to your users asking them to enroll into Microsoft Authenticator App, for example, by guiding them to this page: https://aka.ms/mysecurityinfo
There are end-user communication guides available that show them screen shots of the experience for download here: https://www.microsoft.com/en-us/download/details.aspx?id=57600
There is a general deployment guide for Admins available here:
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-getstarted
After the users you have targeted with the email communications have enrolled into MFA then you can do a phased migration by putting pilot users into a Group, and then create a new conditional access policy that uses that group and then in the Grant control use the Require MFA (which will use the Authenticator App instead of DUO). Exclude this group from the DUO Conditional Access Policy.
You can view a report to make sure all users have registered into Authenticator App here:
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-reporting
You may want to consider waiting until Passkeys rollout which is expected in April 2024 according to the Roadmap here:
https://www.microsoft.com/en-us/microsoft-365/roadmap?rtc=1&filters=&searchterms=passkey

When that is done, then you can target that RDP Gateway server. To do that you'll need to spin up a separate VM running Microsoft NPS and the MFA extension as detailed here:
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension-rdg
0 Likes
Reply
RKONJoe

‎Apr 05 2024 12:06 PM

‎Apr 05 2024 12:06 PM

Re: Move From Duo SSO to Azure Entra ID MFA (synched from ADDS on-prem)

@Joe Stocker 

Microsoft says that, " Every edition of Microsoft Entra ID includes Microsoft Entra multifactor authentication. No other license is needed for a registration campaign." This is in the Prerequisites for the registration campaign documentation. Link

Are you looking somewhere else? it would suck if it required a P2

 

Joe

0 Likes
Reply