Using AD Connect Passthrough
Prerequisites
- Link your directory to Office 365 with AD Connect, and configure Passthrough mode as shown here
- Do not enable the passthrough "Single sign-on" option on AD Connect (it's not needed)
- Using a non-AuthLite user, make sure you can log on with a synchronized user's UPN and password
- AuthLite version 2.3.14 or later must be installed on your DCs and all AD Connect intstances (if you have any that are on member servers)
AuthLite Configuration
-
Please download API.ps1, and run the following command to turn on UPN Support (as of this time there is no user interface to do it)
.\API.ps1 SetPartitionSetting -name UPNSupport -value true -reload $true
Please note the "$" difference between the value and the reload arguments!
Note: This setting will take up to 20 minutes plus replication delay to be seen by all ADFS servers.
- On each system running AD Connect, go into AuthLite Configuration -> Forced 2-factor Processes and add the process "AzureADConnect", click Apply
Testing
- Your AuthLite users should be unable to log in with UPN and password now.
- They should be able to log in by entering their normal password followed by a dash (minus) and their OTP, all together in the password field. (For YubiKey, the dash character is optional)
Note that all primary Office 365 authentications for AuthLite users will now require 2-factor, including the login that happens when registering a new device for email access. (Once registered, the device will no longer require user authentication each time).