Showing results for 
Search instead for 
Did you mean: 

AD connector and SSO Entra ID migration

Level 1
Level 1


We currently have DUO deployed for MFA for Anyconnect VPN clients terminating on an FTD.  Using AD connector as the identity source for users.  We would like to move away from this and configure Anyconnect Clients to connect to Meraki and use SAML for authentication via DUO with Entra ID as the authentication source.  Query is can Entra ID identity source be configured within DUO without disrupting service to existing users?  Can both AD and Entra ID run in parallel?


3 Replies 3

Cisco Employee
Cisco Employee

Today you may only use a single type of SSO authentication source at a time. You can't use AD authentication and SAML authentication at the same time for the same application. You can set up Entra as the SAML auth source in parallel, but today only one can be enabled at a time, so you would experience brief disruption as you disable one and enable the other.

We have support for multiple authentication sources in Duo SSO on our roadmap. Please contact Duo Support to have your org associated with that feature request.

If you are using directory sync from AD into Duo you can migrate the sync from AD to Entra source using this guide: 

How do I change from using Active Directory to Microsoft Entra ID for Duo Directory Sync? 

Duo, not DUO.


This would be for a separate application.  currently using "Cisco ISE Radius" using radius and AD for authentication.  We are looking to add / migrate to "Meraki Secure Client" using SAML / SSO with Entra ID as the identity source.  Both AD and Entra ID are linked so same user account.  What i am trying to understand is can I run both in parallel, existing ISE radius continue to use AD and the new Meraki app use SSO / Entra ID without impacting existing service

Yes, you can leave a RADIUS integration with Duo Authentication proxy in place while also deploying any Duo SSO application. They are distinct from each other. If the same users will log into both you will want to make sure that the SSO username is the same as the ISE RADIUS username so they match the same Duo user or that it has been added as a username alias to the existing Duo user.

Duo, not DUO.
Quick Links