Azure Multi Factor Authentication has been around for a while and if you’re not yet using it yet, you should be implementing it! Two factor authentication is a key element to protecting the users and data in your on-premises, Microsoft 365 and Azure environment.
Azure MFA can be implemented in multiple ways and in my experience the most commonly used authentication methods are either the Microsoft Authenticator App, Text message or Call to phone.
How about those good old fashioned hardware tokens?
In some cases these authentication methods may not satisfy your users’ needs. They could for example be in the situation that they’re not provided with a company smartphone and don’t want to use their personal smartphone for work related purposes. Other examples could be contractors or the need to have a physical backup for your Authenticator App. Up to five different authentication methods can be set up per user, including OATH tokens.
In these situations, you can consider using OATH Tokens with Azure MFA so you can provide your users with a good old fashioned hardware token. You should however keep in mind that this feature is currently still in public preview and make sure you’re aware of the terms and conditions.
What are OATH Tokens?
Azure MFA in the Cloud supports OATH-TOTP SHA-1 tokens that generate a One Time Password every 30 or 60 seconds, having a seed that is 128 characters or less. Any token that supports these specific specifications can be purchased from a vendor of your choice. Since OATH is a widely used standard, it shouldn’t be too difficult to find. One of the vendors I have tested this with is Token2. Some vendors also market specific tokens to be compatible with Azure MFA, providing you with a ready-to-use CSV that you can easily upload within your Azure environment.
In order to use Azure MFA, your users must have been assigned the appropriate license. You will be needing either Azure AD Premium Plan 1 or Plan 2 licenses. One of these licenses is already included in your license if your users have been assigned a Office 365 E5, Enterprise Mobility + Security E3 or E5 or Microsoft 365 Business Premium license.
How does it work?
OATH tokens generate a One Time Password every 30 or 60 seconds based on a seed (“secret key”) that is provided to you by the vendor/retailer. Some of these tokens are also programmable, giving you the opportunity to re-program the seed and be fully in control of the seed that is used.
Implementing OATH Tokens in Azure MFA
Adding tokens to Azure MFA is not a difficult process. You upload the CSV that was either provided by the vendor or manually created by you, in the Azure AD Admin Center.
Your CSV file should look like the following example. Make sure you enter the secret key in Base32 format.
|upn,serial number,secret key,time interval,manufacturer,model|
If you receive an error during the import, click on the error and download the file. The first column of every row that contains an error, will contain the error message.
After importing the CSV, it might take a minute for it to be processed. Refresh the Admin Center to check if it’s done. Please make sure to Activate the token after importing the CSV file by clicking the “Activate” link next to the user while in the “OATH Tokens” pane. You’ll be needing the actual token, since you need the OTP in order to activate.
Before testing, make sure the user has MFA enabled. I highly recommend setting up a conditional access policy for this.
I also recommend checking out the Token2 TOTP Toolset. You can use the toolset to emulate hardware tokens but can also easily generate seeds and the Azure CSV File if you use Token2 hardware.