B2B user experience with Office 365 SAML and DAG

Does anyone know how an Azure B2B user behaves when a tenant is protected with the Duo Office 365 SAML app and a DAG?

Internal users would be redirected to the DAG login and their accounts would be in local AD and synced into Duo.

But the B2B users have their own emails addresses and I can’t find any information on what would happen to them. They’re not going to be listed in Duo, so if they were redirected to the DAG they couldn’t authenticate.

Are the Conditional Access policies in Azure the only method of enforcing MFA for B2B users?

You’re right. When you federate a tenant with an on-premises directory for SSO, only the federated users get redirected to the SAML IdP (Duo’s DAG or other IdP). Users who only exist in the O365 tenant (marked as “cloud-only” in the admin portal) complete native Azure authentication.

The Duo custom control for Azure CA would would for securing access for cloud-only users, but it does not support external guest accounts today. I think the B2B users are like guest users, and if so the Duo CA control wouldn’t work for them either.