When a 40-user company called us, the symptoms were familiar. Passwords reused across half a dozen apps. No MFA on anything that didn't force it. M365 on one side, Google Workspace on the other, because nobody had ever picked a lane. And an offboarding process that, on paper, disabled accounts but in practice left cached Windows credentials, app passwords, and stray sessions floating around on machines that nobody had touched in months.
The trigger wasn't a breach. It was the cyber insurance renewal. The carrier sent over a questionnaire, and a third of the boxes couldn't be honestly checked. That's how most of these calls start now.
The Gap
Mid-size businesses sit in an awkward spot. Big enough that a credential leak actually hurts payroll, banking, client data, all of it sitting behind logins. Small enough that there's usually no full-time security person, and the IT generalist is already buried in day-to-day tickets.
The two failure modes we see most:
No MFA on anything that doesn't shove it in your face. M365 admin accounts, sure. But the shared Dropbox? The accounting platform? The remote desktop into the file server? Single password, often reused, often known by more people than it should be.
Lingering access after offboarding. HR tells IT someone left. IT disables the AD account. But the laptop the person took home over the weekend still has cached creds. The VPN profile still works for a window. The phone still has an app password to email. The "we'll deal with the laptop when they bring it back" gap is where things go sideways.
This client had both, and they knew it.
Why Duo
We deploy Duo across most of our managed IT engagements at this size. A few reasons it earns the slot:
It does SSO and endpoint MFA in one stack. Most platforms do one well and the other as an afterthought. Duo's Windows Logon agent is mature and actually works offline, which matters when half your users are on laptops that wander off the network.
The push-based MFA gets adopted. Users tap a notification. They don't fight it the way they fight code-generator apps, and the help desk doesn't drown in "my code expired" tickets.
Federation to both M365 and Google is straightforward. When a client has both which is more common than people admit you don't want an IdP that treats one as a second-class citizen.
Pricing works at this scale. Not the cheapest option, but the per-user cost is predictable and doesn't balloon when you add features.
For larger or more complex environments we'll reach for Entra or Okta. At 25–100 users with mixed cloud, Duo is usually the right tool.
What We Deployed
Two pillars.
SSO for SaaS. Duo SSO stood up as the identity provider, federated to both M365 and Google Workspace. Directory sync from the client's existing AD so group membership drives app access. MFA enforced at the SSO layer, which means every downstream app inherits it no per-app configuration drift, no "we forgot to turn it on for that one tool" gaps. Users get one login page, one set of credentials, one MFA prompt.
Windows Logon protection. Duo Authentication for Windows pushed to every workstation and server. MFA prompt on local console logon and on RDP. Offline access configured so a laptop on a plane still works, but with a bounded window. Group policy handled the rollout so we weren't touching machines individually.
The combination is what matters. SSO alone leaves the endpoint exposed a stolen laptop with a cached Windows session is still a stolen laptop with access to whatever the user had open. Windows Logon alone doesn't fix the password sprawl across SaaS apps. Together, every door has a second lock.
The Rollout
Technical config is the easy part. The rollout is where deployments get derailed, so we plan it like a project, not a deployment.
We started with a pilot IT staff plus one friendly department (in this case, operations). Two weeks. We wanted real users hitting real edge cases before we touched the rest of the company. A handful of things shook out: one legacy line-of-business app that didn't play nicely with SAML and needed a workaround, a couple of shared service accounts that had to be carved out of the MFA policy, and the predictable "I don't want to put a work app on my personal phone" conversation with two users. We had hardware tokens ready for that one it's never not going to come up, so we stop arguing about it and just hand someone a token.
After the pilot, rollout went department by department over three weeks. Comms went out ahead of each wave: what's changing, why, what to expect, who to call. Help desk got a one-pager and a script for the three questions everyone asks ("why am I getting prompted twice," "what if I lose my phone," "do I have to do this every time"). Enrollment ran through a self-service portal so nobody had to sit with a tech to get set up.
The executive who didn't want the app on their phone got a token. The user who lost their phone the following week got a temporary bypass code and a replacement enrollment. The legacy app got fixed properly in the second sprint. Normal stuff.
The Result
Every SaaS login now goes through Duo SSO with MFA. Every Windows logon local console or RDP, on the network or off requires a second factor. Offboarding is a single action in the directory: disable the user, and access dies everywhere at once, including the Windows session on whatever device they have. The cached-credential problem is solved by the same architecture that solved the SSO problem.
The insurance renewal went through clean. The questionnaire that had a third of its boxes unchecked six weeks earlier got submitted with confidence. Premium didn't drop dramatically they rarely do but the carrier didn't add exclusions or push for additional controls, which at this size is the win.
The client's IT generalist got their afternoons back. Password resets dropped because users have one credential to remember instead of eight. "I can't get into [app]" tickets dropped because access is provisioned by group membership, not by hand.
If Your Environment Looks Like This
A lot of mid-size businesses are running the same setup this client was, and they know it. The gap between where they are and where their insurance carrier — or their clients, or their auditors — expects them to be is smaller than it looks. A Duo deployment at this scale is a two-to-four week project, not a six-month transformation.
We deploy identity hardening as a standard piece of our managed IT engagements. If you're looking at a renewal questionnaire and seeing too many unchecked boxes, get in touch.
.png)
