Building a case to move from ADFS4 to Duo's DAG for 365 auth


Folks, I’ve been asked to evaluate advantages of moving from an already installed ADFS4 infrastructure to using Duo’s DAG product for office 365 auth. After reviewing the doc’s and watching the DAG install support video I’m having a hard time seeing why this would be a good option.

The main reason for our switch is to provide better support for legacy mail clients, and from what I can gather, the DAG only provides a way to implement a exception group, allowing those contained users to bypass. (which could be done with a rule in ADFS as well). NOT an application password.

If you have made this comparison yourself, we would like to hear your advice!


Hello, Kelly_O_Keefe!

To be honest, it sounds like you’ll be better off sticking with ADFS.

The main advantage the DAG offers is the ability for you to configure a unique Duo policy for each Service Provder that is federated to your DAG. If O365 is the only Relying Party (Service Provider) you have federated to ADFS - or the only RP you wish to protect with Duo - this advantage becomes moot.

Considering that ADFS is already in your environment and it offers more flexiblity with Claims Rules than the DAG, I’d encourage you to stay with ADFS.