azure mfa hardware tokens
office 365 mfa hardware tokens
How to add classic OATH hardware token to Office 365 MFA
To make use of the classic OATH hardware token you will need to purchase an Azure AD Premium P1 or P2 license. With a programmable hardware token
for Azure MFA, which is a drop-in replacement for an authentication app from Microsoft (Microsoft Authenticator), there is no need for a premium subscription, Azure AD Free license is enough
Azure AD supports the use of OATH-TOTP SHA-1 tokens of the 30-second or 60-second variety (currently in public preview). We have tested our tokens (they are all OATH-TOTP SHA-1 30-second, 6 digits) with Azure MFA in the cloud and can confirm they are all supported.
The following are the pre-requirements to complete this configuration:
- Azure AD Premium P1 or P2 license
- Token2 hardware token(s)
- A CSV file for your token device(s). You can request the CSV file here after successful delivery *.
* Please do not forget to send your public GPG/PGP key when requesting the CSV - this will ensure the sensitive data is not sent over insecure channels (most email systems are still using insecure protocols). You will only need to modify the usernames (UPN column) - please use a plain text editor, not spreadsheet editors like MS Excel as it may break the format.
Prepare the CSV file
The CSV file sent by Token2 does not contain the UPN for your users, so you have to add that information. Open the file in a text editor and add the missing information. The final file should look like shown below:
upn,serial number,secret key,timeinterval,manufacturer,model
Make sure you include the header row in your CSV file as shown above. Also, please do not edit the CSV file in Excel use a text editor (Notepad) instead
Import the CSV file
Navigate to Azure Portal > Azure Active Directory > MFA Server > OATH tokens and click on Upload, then select your CSV file.
In case the CSV file format is not correct you will get an error
If the upload is successful, click on "Refresh" button to see the list of tokens on the same page.
You should activate the tokens one by one. To proceed with activation click on Activate link on the last column. Enter the 6 digit OTP code shown on the token (yes, you have to have access to the token) and click on "Activate"
This dialogue window has some glitches, such as the "Activate" button is greyed out and the "Close" button on the top right has no icon. Both buttons work just fine when clicked.
If the OTP is accepted by the MFA server, a message saying "Successfully activated the selected OATH token" will be displayed and the user will have a checkbox in the Activated column.
The activation process proposed by Microsoft is manual and can be done only for one user at a time. If you need bulk activation, Token2 has developed a solution
to automate the activation of imported hardware tokens with Azure MFA.
Once OATH token is activated and set as the default MFA method, users can use it to log in. Please note that the login page will still ask for "authenticator app" code on the login page, but the OTP generated by the hardware token will for sure be accepted without any issues.
For larger organizations, we recommend to instruct users in remote offices to set up additional MFA methods in addition to the hardware tokens. This will ensure users can still log in in case the hardware token is lost or damaged. Additional MFA factors, such as SMS or mobile app can be configured by users themselves on this page
security tokens that work with office 365 OATH tokens for Azure MFA classic hardware tokens for Office 365