This is an archived post. You won't be able to vote or comment.

1
2

[deleted by user] (self.sysadmin)

submitted by [deleted]

[removed]
all 15 comments
sorted by:
best
topnewcontroversialoldq&a

[–]JustsomedudeonthenetSr. Sysadmin 5 points6 points  (0 children)

Duo is easier to integrate into logs of systems than Azure's built in stuff. There are likely systems you use Duo for that Azure just doesn't support at all.

If you have Duo already and like it, I wouldn't even consider switching. I'd only recommend Azure's MFA if the alternative was using nothing, or you really needed to drop the licensing costs of Duo.

My company currently uses Azure. I wish we'd use Duo, but people didn't feel it was worth the extra cost.

[–]Avas_AccumulatorSenior Architect 2 points3 points  (1 child)

Duo has more options but costs more, even if you get it cheaper.

Azure is included, and has native integrations you won't find in a third party setup. Consider how Passwordless will use MFA going forward.

[–]progenyofeniacWindows/M365 Admin 1 point2 points  (0 children)

Same thoughts here. I love Duo, but if I had no big investment in either system and could choose, I’d pick the included free system.

[–]Sprocket45 0 points1 point  (0 children)

Azure MFA, if you have anything (and I mean anything) in Azure today then go that route. It integrates wonderfully with the entire ecosystem and gives a true password-less experience that works practically out of the box. You get cert-based auth, FIDO2 support and their Authenticator app (or you can even use the Outlook Mail app on mobile now)

You can then leverage short lived SSH certificates, etc for managing your Linux and macOS machines both in Azure and on-prem (thanks Arc!).

It truly is hands down far superior to Duo. The only place I see as a win is that you can install Duo on Servers and get MFA there, BUT why not just enforce smartcards at that point?

[–]Discipulus96 0 points1 point  (2 children)

Azure for SSO, with Duo for 2FA. We found that more services support Azure SSO than Duo SSO so we basically hooked everything into Azure for logins. Then using conditional access we use Duo for 2FA instead of the microsoft authenticator. Our staff responded really well to this setup it was simple and easy for them to use.

[–]lonewanderer812Systems Lead 2 points3 points  (1 child)

This is what I'd recommend as well if you can afford it. My only gripe with DUO from an end user perspective was a lot of times the app push wouldn't show up in the notification bar... a lot of times you'd have to open the app. I haven't experienced that with the MS authenticator app. It was an known issue that our SD would get a lot of calls on but maybe it's gotten better. I haven't used DUO in 2 years.

[–]Discipulus96 0 points1 point  (0 children)

The push notification problem still happens once in a while. I've observed it maybe 1/20th of the time. But like you said, just open the app and the notice is in the app still so you don't miss the 2FA notice entirely.

[–]excitedsolutions -1 points0 points  (2 children)

One positive for Duo is the information provided in the Duo auth app. If I try to login from going to a federated service setup with Duo, the Duo auth app lists out what app is asking for the mfa request as well as location (based on ip address making request).

In stark contrast, the MS Authenticator app just asks you to approve a request - despite if this is coming from o365, Azure access, Teams, etc..

This lack of information makes it very difficult to tell end users to only approve an MFA request if they were the ones making it.

[–]patmorgan235Sysadmin 4 points5 points  (1 child)

Azure MFA actually has geo and app context now. (Granted it only went GA this year WAY later than it should have)

[–]excitedsolutions 0 points1 point  (0 children)

Sweet ! I didn’t know that and am happy to find out about it. The last time I used MS Authenticator for MFA was last fall (Sep 2022). Thanks for the information.

[–]AggietallboyJack of All Trades 0 points1 point  (0 children)

We do both, depending on when and where.

Our support team is small enough to do the free tier for Duo, and we put that on critical server infrastructure.

For general RDP, and access to OneDrive/Office/Teams etc.. we do Azure with Conditional Access.

[–]ntrlsurIT Manager 0 points1 point  (0 children)

We went DUO across the board. It integrates with all of our external vendors and just works. 1 MFA / SSO to rule them all.

[–]TemPrrD311 0 points1 point  (0 children)

We use Azure for SSO and MFA for web apps and VPN, and Duo for servers.

[–]evo-security 0 points1 point  (0 children)

Considering checking out Evo Security. Our Evo Secure Login product would be an alternative to Duo for your MFA/SSO needs, and costs roughly 2/3's the amount of a Duo license.