Access Gateway - without server


Do you have to have an on-prem server to run the DAG, in order to provide controls over office etc. Cannot it not be configured cloud to cloud , like a cloud security broker?


Hi @simon.moore!

You are correct. Today, the Duo Access Gateway must be configured on a physical or virtual host. While you could deploy the virtual host in cloud infrastructure like AWS or Azure, we don’t offer a 100% cloud-hosted SAML solution today.


shame -
is it in the road map?
As a start-up , we don’t want any on-prem hardware, or a large IT team to manage it. The appeal of duo was as a one stop show, simple to set up, with scalable user charges. Having to set up a server to protect my cloud apps such as office , sort of misses the point.



If you’re using Office 365 and have an Azure AD P1 subscription behind that, you can use our [custom MFA control for Azure AD to protect Office 365 logins without a server deployment. If you use Azure AD as the authentication directory for other application you can apply the Duo CA control to those as well.

We also partner with other cloud identity providers to provide MFA, like Okta and OneLogin.

Do you have an account manager or customer success manager? They are able to have roadmap discussions with you. If you aren’t a Duo customer yet, you can sign up for free at


How does this compare with Akami, on the face of it seems similar, but they are fully cloud based.


If you’re taking about Akamai Enterprise Application Access (EAA), you can use Duo MFA with that too. Here are those instructions: Akamai EAA | Duo Security


ok , got that. But given Akami also do MFA, why would i not just all with them?


are you saying i can use their service rather than your gateway - so avoid ing the need for an on-prem server?


you can message me directly if you like


Duo offers many options for adding MFA to Office.

On-premises solutions (which could also be run on a cloud-hosted VM like in AWS or Azure):

  • Duo Access Gateway (requires AD)
  • Duo MFA authenticator plugin for AD FS (requires AD)
  • Duo plugin for Shibboleth
  • Duo plugin for CAS

Cloud solutions by Duo:

  • Duo custom control for Azure AD Conditional Access (requires an Azure P1 subscription)

Cloud solutions from Duo partners:

  • Duo for Okta
  • Duo for OneLogin
  • Duo for Akamai EAA
  • Duo for Bitium
  • more

I can think of some reasons someone might not want to use the MFA offered in EAA (IIRC it’s SMS and email based, neither of which are as secure as an out of band push notification), but I’m not a sales person! As I mentioned, a Duo account manager could have roadmap discussions with you, or share specific reasons why customers have chosen Duo’s MFA over the MFA options offered by cloud IdP vendors (beyond reasons like ease of use, other applications and services supported, flexibility in authentication methods, access policies, etc.). Sign up for free at to start that conversation.