On Prem Active Directory MFA

Anyone had any experience adding an MFA layer to on-prem AD? Insurance companies are requiring MFA on everything and multiple customers are getting letters from their cyber-insurance carriers stating that they will not renew policies without MFA for AD, VPN, email, etc.

Yes, and we are using DUO security or connecting them to Azure for the MFA.

Thanks for the response.

I have been looking at Duo - seems like the market leader here.

To preface my follow up questions - I am not an “enterprise” guy - our sweet spot is generally 20-50 employee SMBs - all on-prem AD. I really struggle with Office365/Azure - avoid it as much as possible. In my opinion, it is a convoluted mess to navigate with disjointed product offerings and implementations. TBH - I have not worked with Azure at all - have avoided it like the plague.

That being said…

From a quick review of Duo - if I am understanding - Duo seems to add a layer to the login process on a per-machine basis. IE - User enters AD creds->AD auths user->Duo hooks in after AD auth and prompts for MFA->User is logged in. If I am understanding - this would mean that any machine that hasn’t had Duo installed can simply auth to AD as usual and bypass any MFA. In other words, Duo doesn’t directly interface or work together with AD.

From my very, very limited experience with Azure - I’ve only ever seen Azure implemented to sync on-prem and Azure directory data in order to have synced credentials for users using O365 and on-prem AD. In order to add MFA to the AD login process - does Azure have to be the primary (only) AD service? In other words - do you have to ditch on-prem AD? Does Azure then add MFA directly into the Windows login process?

I apologize if I am getting this all completely wrong and I appreciate any help with understanding this better.

It’s complex and I don’t really do much Azure myself. Here is the docs from MIcrosoft on it.