Classic hardware tokens for Office 365 / Azure cloud Multi-factor authentication
azure mfa hardware tokens office 365 mfa hardware tokens
How to add classic OATH hardware token to Office 365 MFA
To make use of the classic OATH hardware token you will need to purchase an Azure AD Premium P1 or P2 license. With a programmable hardware token for Azure MFA, which is a drop-in replacement for an authentication app from Microsoft (Microsoft Authenticator), there is no need for a premium subscription, Azure AD Free license is enough
Azure AD supports the use of OATH-TOTP SHA-1 tokens of the 30-second or 60-second variety (currently in public preview). We have tested our tokens (they are all OATH-TOTP SHA-1 30-second, 6 digits) with Azure MFA in the cloud and can confirm they are all supported.
The following are the pre-requirements to complete this configuration:
- Azure AD Premium P1 or P2 license
- Token2 hardware token(s)
- A CSV file for your token device(s). You can request the CSV file from your order page after successful delivery *.
* Please do not forget to send your public GPG/PGP key when requesting the CSV - this will ensure the sensitive data is not sent over insecure channels (most email systems are still using insecure protocols). You will only need to modify the usernames (UPN column) - please use a plain text editor, not spreadsheet editors like MS Excel as it may break the format.
Prepare the CSV file
The CSV file sent by Token2 does not contain the UPN for your users, so you have to add that information. Open the file in a text editor and add the missing information. The final file should look like shown below:
upn,serial number,secret key,timeinterval,manufacturer,model [email protected],60234567,1234567890abcdef1234567890abcdef,30,Token2,c202
Import the CSV file
Navigate to Azure Portal > Azure Active Directory > MFA Server > OATH tokens and click on Upload, then select your CSV file.
In case the CSV file format is not correct you will get an error
If the upload is successful, click on "Refresh" button to see the list of tokens on the same page.
You should activate the tokens one by one. To proceed with activation click on Activate link on the last column. Enter the 6 digit OTP code shown on the token (yes, you have to have access to the token) and click on "Activate"
If the OTP is accepted by the MFA server, a message saying "Successfully activated the selected OATH token" will be displayed and the user will have a checkbox in the Activated column.
Once OATH token is activated and set as the default MFA method, users can use it to log in. Please note that the login page will still ask for "authenticator app" code on the login page, but the OTP generated by the hardware token will for sure be accepted without any issues.
VideoCheck out this video review created by one of our clients demonstrating the process of importing and activating the tokens as well as user login experience
security tokens that work with office 365OATH tokens for Azure MFAclassic hardware tokens for Office 365
Subscribe to our mailing list
Want to keep up-to-date with the latest Token2 news, projects and events? Join our mailing list!