Using AD Connect Passthrough
Prerequisites
- Link your directory to Office 365 with AD Connect, and configure Passthrough mode as shown here
- Do not enable the passthrough "Single sign-on" option on AD Connect (it's not needed)
- Using a non-AuthLite user, make sure you can log on with a synchronized user's UPN and password
- AuthLite version 2.3.14 or later must be installed on your DCs and all AD Connect intstances (if you have any that are on member servers)
AuthLite Configuration
- On each system running AD Connect, go into AuthLite Configuration -> Forced 2-factor Processes and add the process "AzureADConnect", click Apply
Testing
- Your AuthLite users should be unable to log in with UPN and password now.
- They should be able to log in by entering their normal password followed by a dash (minus) and their OTP, all together in the password field. (For YubiKey, the dash character is optional)
Note that all primary Office 365 authentications for AuthLite users will now require 2-factor, including the login that happens when registering a new device for email access. (Once registered, the device will no longer require user authentication each time).