Hi! I'd be happy to help you with your questions regarding the transition from DUO MFA to Azure MFA on Cisco VPN.
1) Yes, you can move users to Azure MFA in a phased approach. You can do this by creating different VPN profiles or connection profiles for different groups of users. One profile would be configured with DUO MFA, and the other profile would be configured with Azure MFA. As you move users in batches, you can simply update their VPN profiles to point to the Azure MFA configuration. This allows for a smooth transition without a hard cutover.
2) The Azure MFA configuration for VPN users can be done in two places, depending on how your customer's environment is set up.
b) If the customer uses Firepower Threat Defense (FTD) VPN without ISE, then the Azure MFA configuration would be done in FTD by integrating it with Azure MFA using RADIUS. In this case, you would need to set up a Network Policy Server (NPS) in your environment and then configure the NPS extension for Azure MFA. Once complete, you would point your FTD RADIUS configuration to the NPS server. Here's a guide on how to integrate FTD with Azure MFA using NPS: https://www.51sec.org/2020/03/31/cisco-ftd-azure-mfa-integration/
I hope this helps! If you have any further questions or need more assistance, feel free to ask.
This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication. This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.