I wouldn't recommend anyone deploy Duo DAG now. Duo Central is a similar newer product but 100% cloud-based. It is included in all Duo subscriptions.
https://duo.com/docs/duo-central
Personally, I have converted all of my Duo DAG customers to Duo Central now.
Duo Central can authenticate against either Active Directory or Azure AD. I would authenticate against whatever is the most "authoritative" source in your network.
Duo central also lets you add cool features like inline AD password reset (for users with expired passwords), passwordless login (although this does not work with AnyConnect yet ...), trusted computer requirements, device health requirements, etc.