I'm curious to hear from anyone who's made the switch from Duo to Microsoft Entra or Microsoft Authenticator for multi-factor authentication (MFA). Our management is looking to cut costs and since we're already on Microsoft 365, they think this will be a good move. We're aware that we won't have RDP or logon screen MFA, but that's not a big deal for us as we're rolling out Windows Hello. The Duo MFA on our RDP servers was only on a few systems and wasn't fully secure anyway. So, for those who have migrated, what has your experience been? I'd like to know any pros or cons you've encountered.
4 Answers
We switched from Duo to Entra/Authenticator a couple of years back with about 250 users and it went very smoothly. We informed everyone through email weeks before the change, providing instructions for setting up the app. On the switch day, we disabled Duo and turned on Entra MFA via a conditional access policy. Users received a prompt on their first login that guided them through the setup process. There were a few questions from users, but overall, it was easier than I expected. The only tricky part was migrating a handful of users with YubiKeys, but it wasn't a huge deal. It's been a hassle-free experience overall!
I’m interested in this thread too since I’m also planning to move to Microsoft Authenticator for most users. We're keeping Duo for specific cases though, especially because some users still rely on RDS for now. It’s nice to look forward to potential savings from Duo licensing! But I find it a little annoying that Microsoft doesn’t provide a smooth prompt for RDP, unlike Duo. I'm also implementing Windows Hello for Business, which is pretty exciting!
I had a similar experience with my clients. They've transitioned smoothly and many users hardly even remember their passwords anymore! It's been a relief for everyone.
I’ve been using Microsoft Authenticator for sometime now and I’ve noticed it works very smoothly. Apple users sometimes complain about the notification timing, but overall, it’s pretty reliable. However, I did run into some trouble with notifications being delayed on Android devices. Migrating to Passkeys has also been a breeze — users just select their account, hit 'Create Passkey', and they’re done! Super convenient!
We did the migration to Microsoft Authenticator at my MSP, and despite some initial hiccups with the NPS server configuration, it turned out alright. We ended up having to set up a second NPS server just for WiFi to avoid issues. Users are adapting, but some miss the user-friendliness of Duo. At least there’s still a decent level of security with Approve/Deny prompts through Entra!
Seems like NPS can be a bit of a pain point. I guess managing it all depends on how complex the existing setup is.
I heard that for RDS, there isn't a solid alternative in MS's offering, so some users resort to using MultiOTP along with Authenticator for generating codes. What a workaround!