Thank you for the second one, I am still not convinced Microsoft will make it smooth as they only list third parties and a secondary method of authentication. I will go though our policies and see if they are set in a way so we won't lose MFA come October.

Ok in review it looks like the proper setup is protection with Microsoft Entra ID in Duo. I guess my next question is do you still need the MS 365 Duo app protection as well, or both, or more? Can someone from Duo chime in?

@bjames what exactly are you referring to when you say "MS 365 Duo app protection"? Do you mean M365 federated with Duo SSO?

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication#external-authentication-methods-and-identity-providers says:

"Support for external MFA solutions is in preview with external authentication methods, and can be used to meet the MFA requirement. The legacy Conditional Access custom controls preview won't satisfy the MFA requirement. You should migrate to the external authentication methods preview to use an external solution with Microsoft Entra ID. 

If you're using a federated Identity Provider (IdP), such as Active Directory Federation Services, and your MFA provider is integrated directly with this federated IdP, the federated IdP must be configured to send an MFA claim."

If you look at the various way Duo can protect Azure/Entra/M365 logins (most listed on https://duo.com/docs/o365), some of them can satisfy Microsoft's MFA claim and some cannot.

• Duo External Authentication Method for Entra ID External Authentication Methods (EAM) - YES
  
• Duo Two-Factor Authentication for Microsoft Entra ID (formerly Azure Active Directory) - NO
• Single Sign-On for Microsoft 365 with Duo Single Sign-On - YES
  
• Single Sign-On with Duo Access Gateway - NO
• Duo Multifactor for Microsoft Active Directory Federation Services - YES
  
• Single Sign-On with Third-Party Identity Providers - It depends on the IdP, and one would need to ask them if they send the MFA claim to Microsoft if someone authenticated at their service with their Duo integration.
  

If you already use Duo SSO for Microsoft 365, and every user who accesses the consoles and apps Microsoft listed in their email notice about MFA logs in through Duo SSO, then you're likely already meeting the requirement. If you have cloud-only (as in, not federated) users who sign into those consoles, who don't sign in with Duo at all right now, or sign in via the Duo custom control for CA, they don't meet the requirement and the recommended solution that features Duo would be Duo for Microsoft EAM for those cloud-only users - but this solution could co-exist with an SSO solution for federated users.

We have a kb article about the MFA requirement for Entra here: https://help.duo.com/s/article/8915?language=en_US (that reiterates some of what I've already shared).

Thank you Kristina, Yes we are using Duo SSO for Microsoft 365. I don't think this covers the Microsoft requirements for MFA as we are still getting warning emails from MS. We will add the Duo for MS Entra app and follow MS's External Authentication method in Entra to set this up. I guess my next logical questions would be what are the ramifications of having both the Duo apps - 365 and Entra at the same time?

Thanks

OK I think I get it, we can use both but the local Entra Admins (not in Sync'd AD) will need conditional access setup and the other Federated users using Duo do not require it.

Am I understanding this correctly?

Thank you so much! I wish Microsoft was this helpful