Using hardware tokens with Azure MFA

Azure Multi Factor Authentication has been around for a while and if you’re not yet using it yet, you should be implementing it! Two factor authentication is a key element to protecting the users and data in your on-premises, Microsoft 365 and Azure environment.

Azure MFA can be implemented in multiple ways and in my experience the most commonly used authentication methods are either the Microsoft Authenticator App, Text message or Call to phone.

How about those good old fashioned hardware tokens?

In some cases these authentication methods may not satisfy your users’ needs. They could for example be in the situation that they’re not provided with a company smartphone and don’t want to use their personal smartphone for work related purposes. Other examples could be contractors or the need to have a physical backup for your Authenticator App. Up to five different authentication methods can be set up per user, including OATH tokens.

In these situations, you can consider using OATH Tokens with Azure MFA so you can provide your users with a good old fashioned hardware token. You should however keep in mind that this feature is currently still in public preview and make sure you’re aware of the terms and conditions.

What are OATH Tokens?

Azure MFA in the Cloud supports OATH-TOTP SHA-1 tokens that generate a One Time Password every 30 or 60 seconds, having a seed that is 128 characters or less. Any token that supports these specific specifications can be purchased from a vendor of your choice. Since OATH is a widely used standard, it shouldn’t be too difficult to find. One of the vendors I have tested this with is Token2. Some vendors also market specific tokens to be compatible with Azure MFA, providing you with a ready-to-use CSV that you can easily upload within your Azure environment.

License requirements

In order to use Azure MFA, your users must have been assigned the appropriate license. You will be needing either Azure AD Premium Plan 1 or Plan 2 licenses. One of these licenses is already included in your license if your users have been assigned a Office 365 E5, Enterprise Mobility + Security E3 or E5 or Microsoft 365 Business Premium license.

How does it work?

OATH tokens generate a One Time Password every 30 or 60 seconds based on a seed (“secret key”) that is provided to you by the vendor/retailer. Some of these tokens are also programmable, giving you the opportunity to re-program the seed and be fully in control of the seed that is used.

Implementing OATH Tokens in Azure MFA

Adding tokens to Azure MFA is not a difficult process. You upload the CSV that was either provided by the vendor or manually created by you, in the Azure AD Admin Center.

Your CSV file should look like the following example. Make sure you enter the secret key in Base32 format.

upn,serial number,secret key,time interval,manufacturer,model
[email protected],1234567,1234567abcdef1234567abcdef,60,M365Tech,HardwareKey

If you receive an error during the import, click on the error and download the file. The first column of every row that contains an error, will contain the error message.

After importing the CSV, it might take a minute for it to be processed. Refresh the Admin Center to check if it’s done. Please make sure to Activate the token after importing the CSV file by clicking the “Activate” link next to the user while in the “OATH Tokens” pane. You’ll be needing the actual token, since you need the OTP in order to activate.

Before testing, make sure the user has MFA enabled. I highly recommend setting up a conditional access policy for this.

I also recommend checking out the Token2 TOTP Toolset. You can use the toolset to emulate hardware tokens but can also easily generate seeds and the Azure CSV File if you use Token2 hardware.

2 thoughts on “Using hardware tokens with Azure MFA”

  1. Great article! 3 Questions?
    Why do you need the AD Premium license, is that to unlock the MFA portal feature?
    Do you need to assign the token to a user, or can these be used for any tenant user?
    What does the login procedure look like, does the user still need to configure MFA at first logon?
    Thanks 🙂

    • Hi Marco,

      Azure AD Premium is not required if you only want to use this for Office 365.
      You can burn the seed that the Microsoft Authenticator app uses by scanning the QR Code using the TOTP Toolkit. Token2 has an article on this.

      I don’t really like this method of activating the tokens, as you can not fully activate the token for the user. Also you’re limited to Office 365 and can’t use multiple devices for MFA, since this is a Azure AD Premium feature. Token2 also has a method to bulk activate tokens, making it ‘zero touch’ for the end user. I would also advise you to use Conditional Access to enforce MFA on the services you offer to your end users. This also requires an Azure AD Premium license assigned.

      When you upload the CSV file, you must enter a UPN and can then only activate the token for that user. Ofcourse you can always remove and re-upload the CSV for a different user.

      The user does not need to activate MFA when you activate the token as described in the article. When a user already has a primary MFA method configured, the user does have to change this to the hardware token if that’s what you want.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.