Open in app

Sign in

Write

Sign in

Hardware Tokens for Azure MFA

Protectimus
3 min readFeb 19, 2020

--

There are currently two ways to implement an Azure hardware token for Azure Multi-Factor Authentication:

  • With classic OATH tokens for Azure MFA with hard-coded secret keys, such as Protectimus Two and Protectimus Crystal. To make use of one of these you’ll need Azure AD Premium P1 or P2 license.
  • With a programmable hardware token for Azure MFA Protectimus Slim NFC which is a replacement for an authentication app from Microsoft. This Azure cloud MFA hardware token does not require a premium subscription account.

In this article, we will describe how to set up both types of hardware tokens for Azure token-based authentication. All three devices can be bought here.

Hardware Tokens for Azure MFA — Protectimus Two

Classic OATH hardware tokens for Azure MFA — how to set up

Currently, Azure AD supports tokens with passwords not longer than 128 characters and password life-span of 30 and 60 seconds. Both Protectimus Two and Protectimus Crystal fit these requirements.

Once you choose and receive the Azure MFA OATH token you prefer you need to register your token with Azure. Below is the step-by-step guide on this simple process:

Step 1. Prepare a CSV file that includes your UPN (user principal name), the serial number of the hardware token Azure MFA, the seed (secret key), time interval, make and model of the Azure AD MFA hardware token. Make sure to include a header row, the result should look something like this:

Step 2. Once the CSV file is created and properly formatted it has to be imported. Go to Azure Portal and browse to Azure Active Directory, then to Security and to MFA. On the MFA page choose OATH tokens and click the “Upload” button. Upload your CSV file; the upload process might take a few minutes.

How to upload OATH tokens to Azure MFA

Step 3. Click the “Refresh” button. If the CSV file was uploaded successfully you will see a list of your Azure AD hardware tokens, if the file had an error you will be notified on the same page:

File uploaded successfully:

How to add hardware OATH tokens to Azure MFA — file uploaded successfully

File uploaded with errors:

How to add hardware OATH tokens to Azure MFA — file uploaded with error

Step 4. Now you need to activate your Azure multi-factor authentication hardware token. If you have multiple tokens, you should activate them one by one. Click the “Activate” button at the lattermost column on the right and enter the password generated by the corresponding Azure MFA token. After that, click the “Verify” button.

Azure multi-factor authentication hardware token activation

Step 5. Once the MFA server accepts your one-time password you will get a message confirming the activation of the Microsoft Azure token you selected from the list and there should appear a check mark in the corresponding “Activated” column. Now your token is successfully activated and can be used to log in.

Azure multi-factor authentication hardware token is activated successfully

Step 6. 2FA settings in the user account.

OATH tokens will be automatically set as the main 2FA method only if no other 2-factor authentication method is registered for a user yet.

Azure MFA — user 2-factor authentication settings after OATH token is activated

Continue reading on Protectimus Blog: https://www.protectimus.com/blog/hardware-token-azure-mfa/

Azure
Microsoft Azure
Microsoft
Two Factor Authentication
MFA

--

--

Protectimus

Written by Protectimus

162 Followers

Two-factor authentication solutions for business and personal use. Secure your organization’s and user’s data with MFA: https://www.protectimus.com/

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams