Hi @bas!
Federation is generally considered to be an all or nothing process.
I wouldn’t necessarily call it the easiest approach, but we have seen some success with Microsoft’s Staged Rollout feature.
What this feature is technically designed to do is let customers currently using a federated authentication flow add certain users to a group so that the user authenticates using only Azure AD, while allowing all others to keep using the federated flow.
However, the approach that some customers have taken is to put all users in a group and add that group to the Staged Rollout feature settings. From there, they would remove users from the group who they would like to test out Duo SSO. Overall, it works pretty well but there were certain cases (automated service accounts, etc.) that showed some unusual behavior. The feature was still in preview from Microsoft (and some parts might still be), so there is a chance that it has become more stable since then.
I hope this helps and at least provides and option for you to try!
Please let me know if you have any questions.
