I'm looking at enabling Azure Multifactor Authentication as a service for remote access scenarios. This doesn't appear to be a big deal.
However, Office 365 is in use with DirSync. I found http://community.office365.com/en-us/blogs/office_365_technical_blog/archive/2013/06/19/enabling-office-365-multi-factor-authentication-for-online-administrators-grid-user-post.aspx which talks about enabling multifactor going through https://activedirectory.windowsazure.com/. However, that appears to be exclusively for accessing Office 365, not for general multifactor use. Furthermore, that is an interface that is EOL (there's a warning about it when you sign in), so even if that was right, it would be wrong. It appears the primary portal has a similar set of options, but again, only for Office 365 administrator access.
If we did not have Office 365 in the environment, we could use a standard Azure Active Directory configuration with DirSync. But we do have Office 365.
What is the right way to address this? It seems like we need to do one of the following:
expose the existing Office 365 AAD instance somewhere. Accessing the Azure portal as the Office 365 portal user does not show the instance, so I'm not sure where else I'd go
Do multiple targets for DirSync somehow - one as Office 365 and one an exposed Azure Active Directory instance. This feels very wrong.
Give up
I can't think of another option.
What is the right way to do this?
OK, I sorted this. The primary issue ultimately was two-fold:
The mess that is Microsoft Account vs. Corporate Account in Windows Azure - not signing in to the right one at the right time (or even realizing that was the case)
Microsoft was working on moving the offering to production literally as I was trying to work through this, so lots of stuff was short-term broken for a few days.