Hi Tiffany,

It sounds like you have Duo MFA configured with Azure Active Directory (AAD) using AAD Conditional Access for those Office 365 logins. 

The way you'd get Duo MFA for external logins with Laserfiche is similar. 

1. Configure Laserfiche Directory Server (LFDS) to integrate with Azure AD for SSO as a SAML provider (Duo is part of the AAD auth flow so you do not directly connect Laserfiche and Duo)
2. Link the AAD SAML Provider to normal Active Directory as a Linked (formerly Proxied) Provider.
3. Configure your external facing Web Client instance to use LFDS for authentication. Deploy a second LFDSSTS instance on the public-facing web server if necessary. 
   IMPORTANT: disable "Laserfiche authentication" and "Windows authentication" in LFDSSTS configuration so the only option is AAD. If you leave the other login options available, users can bypass AAD/Duo MFA.
4. Configure an appropriate AAD Conditional Access policy so that Duo MFA is required for external logins to Laserfiche.

There are many little configuration items you have to get exactly right for this setup to work, so I highly recommend reaching out to your Solution Provider MCCi for assistance and sharing this Answers post with them.

Best,
Sam