Source: The Red Canary Blog: Information Security Insights
Author: Sam Straka
URL: https://redcanary.com/blog/security-operations/conditional-access-cisco-duo/
-
ONE SENTENCE SUMMARY: This blog compares Microsoft’s Entra ID Conditional Access and Cisco’s Duo Adaptive Access Policies, highlighting their similarities, differences, and integration possibilities.
-
MAIN POINTS:
-
Duo primarily provides MFA layered over existing identity solutions, unlike full IAM platforms like Microsoft.
-
Duo policies can be globally applied or targeted per application/user group, similar to Entra ID.
-
Duo enforces MFA by default, with conditional bypass options for trusted scenarios.
-
Device compliance checks in Duo use certificates or health apps, comparable to Entra ID Intune integration.
-
Duo’s user interface for granular device policy rules is user-friendly and intuitive.
-
Duo offers geolocation and trusted network conditions similar to Entra ID’s named locations.
-
Duo introduced Risk-Based Authentication (RBA) in 2023, focusing on anomalies during MFA steps.
-
Duo doesn’t directly block legacy authentication, relying instead on primary authentication systems.
-
Duo excels at enforcing device health and compliance checks for sensitive resource access.
-
Duo integrates as a third-party MFA provider with Entra ID Conditional Access via custom controls.
-
TAKEAWAYS:
-
Duo is ideal for organizations looking primarily for strong MFA and device health checks.
-
Microsoft Entra ID offers deeper integration with device management and broader risk evaluation signals.
-
Duo’s RBA effectively addresses MFA fatigue and anomalous sign-in behaviors.
-
Combining Duo with Entra ID provides comprehensive conditional access coverage but introduces complexity.
-
Advanced conditional access features in both solutions require higher-tier licensing plans.