Classic hardware tokens for Office 365 / Azure cloud Multi-factor authentication


 en français


Recently, Microsoft has introduced a new process for transitioning from the legacy policy settings of Azure Active Directory (Azure AD) which previously managed multifactor authentication (MFA) and self-service password reset (SSPR) separately, to a unified management system using the Authentication methods policy. It is important to be aware that if you choose to follow this procedure, you may encounter difficulties with classic hardware tokens. Specifically, if you currently utilize, or plan to utilize, classic hardware tokens, it is recommended that you postpone migration of these tokens and refrain from completing the migration process at this time.



FAQ - Office365/Azure AD MFA

azure mfa hardware tokens office 365 mfa hardware tokens

How to add classic OATH hardware token to Office 365 MFA


Classic hardware tokens for Office 365 / Azure cloud Multi-factor authenticationAzure AD  supports the use of OATH-TOTP SHA-1 tokens of the 30-second or 60-second variety (currently in public preview). We have tested our tokens (they are all OATH-TOTP SHA-1 30-second, 6 digits) with Azure MFA in the cloud and can confirm they are all supported. 


Requirements

The following are the pre-requirements to complete this configuration: 

  • Azure AD Premium P1 or P2 license
  • Token2 hardware token(s)
  • A CSV file for your token device(s). You can request the CSV file from your order page after successful delivery *. 

Please do not forget to send your public GPG/PGP key when requesting the CSV - this will ensure the sensitive data is not sent over insecure channels (most email systems are still using insecure protocols). You will only need to modify the usernames (UPN column) -   please use a plain text editor, not spreadsheet editors like MS Excel as it may break the format.


Prepare the CSV file

The CSV file sent by Token2 does not contain the UPN for your users, so you have to add that information. Open the file in a text editor and add the missing information. The final file should look like shown below:

upn,serial number,secret key,timeinterval,manufacturer,model
[email protected],60234567,1234567890abcdef1234567890abcdef,30,Token2,c202

 Make sure you include the header row in your CSV file as shown above. Also, please do not edit the CSV file in Excel  use a text editor (Notepad) instead


Import the CSV file

Navigate to Azure Portal > Azure Active Directory > MFA Server > OATH tokens and click on Upload, then select your CSV file. Classic hardware tokens for Office 365 / Azure cloud Multi-factor authentication

In case the CSV file format is not correct you will get an error

Classic hardware tokens for Office 365 / Azure cloud Multi-factor authentication 

If the upload is successful, click on "Refresh" button to see the list of tokens on the same page.

Classic hardware tokens for Office 365 / Azure cloud Multi-factor authentication


Activating tokens

You should activate the tokens one by one. To proceed with activation click on Activate link on the last column. Enter the 6 digit OTP code shown on the token (yes, you have to have access to the token) and click on "Activate"

Classic hardware tokens for Office 365 / Azure cloud Multi-factor authentication

This dialogue window has some glitches, such as the "Activate" button is greyed out and the "Close" button on the top right has no icon. Both buttons work just fine when clicked.

If the OTP is accepted by the MFA server,  a message saying "Successfully activated the selected OATH token" will be displayed and the user will have a checkbox in the Activated column. 

Classic hardware tokens for Office 365 / Azure cloud Multi-factor authentication

The activation process proposed by Microsoft is manual and can be done only for one user at a time. If you need bulk activation, Token2 has developed a solution to automate the activation of imported hardware tokens with Azure MFA.


Once OATH token is activated and set as the default MFA method, users can use it to log in. Please note that the login page will still ask for "authenticator app" code on the login page, but the OTP generated by the hardware token will for sure be accepted without any issues.

Classic hardware tokens for Office 365 / Azure cloud Multi-factor authentication

For larger organizations, we recommend to instruct users in remote offices to set up additional MFA methods in addition to the hardware tokens. This will ensure users can still log in in case the hardware token is lost or damaged. Additional MFA factors, such as SMS or mobile app can be configured by users themselves on this page.

Classic hardware tokens for Office 365 / Azure cloud Multi-factor authentication


Video

Check out this video review created by one of our clients demonstrating the process of importing and activating the tokens as well as user login experience






security tokens that work with office 365OATH tokens for Azure MFAclassic hardware tokens for Office 365