Hi,
First, I have to say I have no clue on how AD<=>AAD sync works.
What is the single source of truth in your case? I mean, for what I understand:
- Your local AD is where you handle your users.
- You have a sync with this AD for your AAD.
- Duo is also synced with your AD (but you’d like to point Duo to AAD)
The only concern I see here is: what if your sync between your on-prem AD and AAD has issue? Your Duo won’t be up to date.
So, I’d rather recommend you to move your single source of truth to AAD (i.e. managing your user in AAD instead of your on-prem AD) and then, when it is done, you may move the Duo sync to AAD.
Now, a last question: why do you want to move away from the Duo AuthC proxy?
HTH,
Antony