This document is a revision of an original from the MFA Options Analysis project. The current version has eliminated models 2, 3, and 4 and added model 5x. The new diagram (Fig. 1) distinguishes between where 2FA policy is stored and where the Duo integration is configured. Model 5x is unique in that the 2FA policy and Duo integration are not co-resident in the same system.
Figure 1 diagrams the high-level architecture for the four 2FA models still under consideration.
Figure 1. High-level architecture for O365/AAD/2FA models. Connected white boxes show the path for primary (password) authentication. Orange boxes show where 2FA policy is defined and stored. Blue boxes show where the Duo integration occurs.