Sometimes a mobile authenticator (OATH software token) just doesn’t cut it.
Then it’s good you have the option to add OATH hardware tokens to your Microsoft environment. The feature has been in preview for some time now. Microsofts documentation on it is pretty good and can be found here: OATH tokens authentication method – Azure Active Directory | Microsoft Docs
What are the use cases for this?
Well there are several use cases. In some cases people will not use their personal mobile devices for work. The MFA requirement from the company might put some restraint on what the company might “impose” on the employees. The you can hand out an OATH hardware token, so that MFA requirements are still met and you don’t need to circumvent this.
On the other hand you might have several user accounts that are common for more employees. For instance in a production environment. The OATH token can then be located somewhere safe at work and the operator/employee that requires that for login can get the code from the token. This way an MFA will still be enforced, so the account is only accessed from the station in the production where it is used. I’m sure there are more use cases as well.
How to get going
First you need tokens, but before you choose your token you need to know if you have Azure AD Premium P1 licenses for your users or not.
Microsoft requires Azure AD P1 license if you hare to use a hardware token. This comes with the M365 Business Premium and the M365 Enterprise E3 and E5 subscriptions. For other accounts not having these licenses you can get the Azure AD P1 as a standalone license.
Now there are some OATH providers that can make use of the hardware token as a Software token (called Programmable OATH TOTP hardware tokens). Then the process to configure it is just the same as you would Microsoft Authenticator. The tokens are usually more expensive, but you don’t require the Azure AD P1 license for that user. If the user has Azure AD P1 included, go for the default tokens.
I’ve tested both options above, tokens for users with AAD P1 license and the token using Microsoft authenticator. Token 2 provides these tokens, but there also are token providers out there. If you are getting several tokens, you can ask the vendor for some test tokens to evaluate.
Limitations
Current limitations are (check these as they may change) – OATH tokens authentication method – Azure Active Directory | Microsoft Docs
- You can activate 200 OATH tokens every 5 minutes.
- The preview is not supported in Azure Government or sovereign clouds.
- Secret keys are limited to 128 characters
- The secret key can only contain the characteds a-z or A-Z and digits 2-7, and must be encoded in Base32
- Hardware OATH tokens cannot be assigned to guest users
How to configure
Navigate to portal.azure.com and open you Azure Active Directory. Continue to Security -> MFA -> OATH tokens.
You then need to upload the CSV file with your token information, the CSV file looks like this. One line for each token. The token provider usually has steps on how to get the secret key or how to program them.
|
1 2 3 |
CSV upn,serial number,secret key,time interval,manufacturer,model wilson@stellarlab.net,2211335,2234567abcdef2234567abcdef,60,Token2,HardwareKey |
token PNG Designed By miniaria from Pngtree.com