UserLock is one of the few solutions existing on the market that allows implementing multi-factor authentication for logging on to Windows computers with Active Directory domain membership.
UserLock can be used with hardware tokens and the compatibility with Token2 programmable hardware tokens has been officially confirmed by ISDecicions, and the enrollment guide is available on the UserLock website. Our hardware tokens can also be used to secure access to Microsoft Office 365 services by leveraging Azure Cloud MFA, however, there is currently no direct integration between Azure MFA and UserLock and each service would need a separate hardware token per each user, which is rather inconvenient.
In this article, we will show a workaround that allows using one hardware token for a user to access both UserLock-secured Active Directory and Office 365 services.
The following will be needed:
Please refer to the guide published by ISDecisions: Onboarding for End Users – with a Token2 programmable token.
On Step 2 of the guide, the system generates a base32 seed which has to be recorded for Azure MFA provisioning. Copy the seed shown on the provisioning page to a text file and have it ready for the next phase.
Prepare a CSV file in the following format using the base32 seed recorded in the previous step. The format will be as follows:
upn,serial number,secret key,time interval,manufacturer,model
<[email protected]>,10000001 , <SEED>,30,Token2,C301
Replace the following values:
<[email protected]> replace with the UPN (email address) of the user being provisioned
<SEED> replace with the base32 seed recorded on the previous phase
Save the file with CSV extension. Important: make sure you use a plain text file editor, such as Notepad or Notepad++. Editing this file with Excel may break the format. Import the CSV file to Azure MFA as described in the guide.
After completing the activation with Azure AD, the same hardware token can be used for both systems.