Office 365 (still) sucks hard at 2FA


Although Microsoft has been talking and putting up nice videos about 2FA for quite a while, it’s still a pain in the ass. It really is. Let me explain.

The theory is that you install the latest Office, enable 2FA for the user in the Office Portal and be done with it. Guess what, that’s totally not the case.

If you’re on Office 2016 you should be fine, but if you’re on Office 2013, you gotta mess in Registry first. Alright, cool. It still doesn’t work. What the heck. Oh, it’s enabled in the client now, but not on the server side. You need to enable modern authentication for Exchange Online:

Set-OrganizationConfig -OAuth2ClientProfileEnabled:$true 

Why do I have to do that? Never mind, Outlook works now. How about Skype? Nah, they won’t give you that, you gotta register and sign up for a friggin’ preview. Then they’ll invite you within 2 weeks. Or not. That’s about it. Obviously there’s no schedule for general availability, I guess that would make too much sense.

Great, just great. How about the Mac? Not yet. Not coming soon, they won’t say what the hell is going on, it just doesn’t exist. Got it? What about Skype on the Mac? Skype who? There’s Lync 2011, suck it nerds. At least there’s a preview (who would’ve thought that?) which we even were invited to, but my colleagues hate Lync so much that they decided not to participate after all. Because you are required to participate in surveys during the preview, of course. LOL.

There was also a very nice feature of 2FA: you could specify IP ranges where you don’t require web sites to complete 2FA for login (it still required 2FA in rich clients like Outlook and Skype though). Guess what? That’s been moved to Azure AD Premium. Yes, freakin’ premium. It sets you back $6 a month, per user. Even if you’re on E3. You can choose between 2FA for every website login, even in the office, or paying quite some money just for this every month.

Awesome. How about the management CMDlets? Don’t even dream about it, they’re not gonna work. You gotta keep a global admin without 2FA, otherwise you’re screwed.

AD Connect? You guessed it. It also still uses a separate, dedicated global admin, without any kind of 2FA. At this point you may be wondering, what the heck is the purpose of enabling 2FA for global admins if there’s still one which you’re required to keep away from 2FA?

So that’s the state of affairs with 2FA in Office 365 right now. I can’t say I’m impressed. Or would this is an awful pile of steaming goatshit be a more appropriate statement?