Home
%3CLINGO-SUB%20id%3D%22lingo-sub-394663%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-394663%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F310445%22%20target%3D%22_blank%22%3E%40Helge_Auge%3C%2FA%3E%26nbsp%3B%20Gemalto%20OTP%20110%20and%20DisplayCard%20work%20great%20as%20well%20-%26gt%3B%20%3CA%20href%3D%22https%3A%2F%2Fsafenet.gemalto.com%2Fmulti-factor-authentication%2Fauthenticators%2Fsafenet-otp-display-card%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsafenet.gemalto.com%2Fmulti-factor-authentication%2Fauthenticators%2Fsafenet-otp-display-card%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-390734%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-390734%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F310445%22%20target%3D%22_blank%22%3E%40Helge_Auge%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3Bvendors%20are%20listed%20in%20the%20blog%20post.%3C%2FP%3E%3CP%3EJust%20as%20an%20example%2C%20if%20you%20have%20Azure%20AD%20P1%2FP2%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.token2.com%2Fshop%2Fcategory%2Fclassic-tokens%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.token2.com%2Fshop%2Fcategory%2Fclassic-tokens%3C%2FA%3E%3C%2FP%3E%3CP%3EIf%20you%20dont%26nbsp%3Bhave%20P1%20or%20P2%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.token2.com%2Fshop%2Fcategory%2Fprogrammable-tokens%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.token2.com%2Fshop%2Fcategory%2Fprogrammable-tokens%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-390729%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-390729%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20can%20someone%20tell%20me%2C%20which%20hardware%20oath%20token%20works%20fine%20with%20azure%20mfa.%3C%2FP%3E%3CP%3EI%20need%20a%20solution%20for%20users%20that%26nbsp%3Bdo%20not%20have%20a%26nbsp%3BCompany%20device(%20tablet%20or%20mobile%20device).%3C%2FP%3E%3CP%3EThanks%20for%20your%20help%3C%2FP%3E%3CP%3EHelge%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-390229%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-390229%22%20slang%3D%22en-US%22%3E%3CP%3EAny%20word%20on%20when%20we%20can%20expect%20these%20options%20in%20the%20Government%20cloud%3F%20We%20have%20folks%2C%20because%20we're%20government%2C%20who%20can't%20have%20phones%20in%20secure%20areas.%20Hard%20to%20use%20MFA%20if%20we%20have%20no%20options%20other%20than%20phones!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-377466%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-377466%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20any%20news%3F%20Q2%20is%20behind%20corner...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.slideshare.net%2FFIDOAlliance%2Fmicrosofts-implementation-roadmap-for-fido2%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.slideshare.net%2FFIDOAlliance%2Fmicrosofts-implementation-roadmap-for-fido2%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-332341%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-332341%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20can%20OATH%20tokens%20be%20used%20as%20the%20primary%20authentication%20method%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-331321%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-331321%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20any%20update%20on%20availability%20of%20mass%20activation%3F%20We%20are%20looking%20to%20move%20from%20our%20current%20environment%20(using%20TOTP%20tokens%20via%20Google%20Authenticator)%20to%20using%20Microsoft%20Azure%2C%20and%20have%2038K%2B%20OATH%20tokens%20to%20load%20up.%20While%20I%20can%20very%20easily%20create%20the%20CSV%20to%20upload%20them%2C%20there%20is%20no%20way%20I%20can%20go%20through%20that%20many%20and%20activate%20them%20all%20individually.%20A%20mass%20activate%20would%20be%20extremely%20useful%20(and%20in%20our%20case%2C%20necessary).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-330690%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-330690%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eis%20there%20any%20news%20about%20MFA%20and%20FIDO2%20support%3F%20Is%20there%20any%20demo%20or%20presentation%20which%20tells%20what%20we%20can%20expect%20from%20FIDO2%20and%20how%20it%20works%20with%20Azure%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-311161%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-311161%22%20slang%3D%22en-US%22%3E%3CP%3EHey%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F261988%22%20target%3D%22_blank%22%3E%40DNoel%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3EThis%20isn't%20a%20scenario%20we%20support%20or%20can%20really%20advise%20you%20on%2C%20though%20I%20can%20broadly%20say%20such%20automation%20should%20%3CSTRONG%3Enever%3C%2FSTRONG%3E%20be%20used%20for%20real%20accounts%3A%20you'd%20be%20putting%20the%20account's%20password%20and%20second-factor%20secret%20out%20of%20the%20hands%20of%20the%20rightful%20user%2C%20so%20there's%20a%20lot%20of%20risk%20involved.%20Even%20doing%20so%20with%20accounts%20not%20tied%20to%20a%20specific%20user%20or%20without%20much%20privilege%20puts%20your%20whole%20tenant%20at%20risk%3A%20bad%20guys%20generally%20know%20they%20don't%20need%26nbsp%3Bspecific%20or%20privileged%20accounts%20to%20get%20in%3B%20rather%2C%20%3CEM%3Eany%26nbsp%3B%3C%2FEM%3Eaccount%20is%20a%20good%20foothold.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThat%20said%2C%20Azure%20MFA%20does%20support%20the%20OATH%20TOTP%20standard%2C%20so%20any%20compliant%20software%20OATH%20code%20generator%20should%20work%20with%20the%20service.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-310403%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-310403%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20looking%20for%20a%20way%20to%20automate%20MFA%20authorization%20in%20code%20for%20automated%20testing%20that%20needs%20to%20login%20and%20verify%20that%20MFA%20is%20turned%20on%20and%20is%20working%20without%20human%20intervention.%20Do%20you%20have%20guidelines%20or%20information%20on%20setting%20this%20up%3F%20Currently%20I'm%20looking%20at%20open%20source%20libraries%20to%20make%20this%20happen%20and%20I'm%20curious%20about%20the%20feasibility.%20Our%20automation%20is%20written%20in%20Java%20so%20I%20was%20looking%20at%20the%20following%20as%20a%20possible%20solution%20to%20the%20problem%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Faerogear%2Faerogear-otp-java%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Faerogear%2Faerogear-otp-java%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-296665%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-296665%22%20slang%3D%22en-US%22%3E%3CP%3EHey%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20is%20the%20ETA%20to%20have%20this%20available%20in%20Azure%20Gov%20clouds%20(GCC%20High)%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-291242%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-291242%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F44438%22%20target%3D%22_blank%22%3E%40Phillip%20Lyle%3C%2FA%3E%2C%20if%20you%20have%20any%20followups%20from%20your%20testing%2C%20DM%20me.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-291241%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-291241%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20able%20to%20fix%20this%20by%20removing%20my%20authenticator%20app%20and%20re-adding.%26nbsp%3B%20It%20then%20worked%20as%20expected%20(both%20codes%20supported%20from%20the%20same%20option).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20co-worker%20did%20not%20run%20into%20the%20same%20issue.%26nbsp%3B%20My%20authenticator%20app%20was%20working%20properly%20before%2C%20but%20I%20tried%20multiple%26nbsp%3Bseparate%20MFA%20attempts%20after%20adding%20the%20hardware%20token%20and%20the%20verification%20code%20was%20rejected%20each%20time.%26nbsp%3B%20We'll%20keep%20testing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-291235%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-291235%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F44438%22%20target%3D%22_blank%22%3E%40Phillip%20Lyle%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3BMy%20default%20is%20text%20for%20the%20time%20being%2C%20in%20addition%20I%20see%20phone%20call%20%2C%26nbsp%3Band%20%22Verification%20code%20from%20app%22%20which%20is%20accepting%203%20different%20OTPs%2C%20one%20from%20the%20app%2C%20second%20from%20my%20programmable%20token%20and%20third%20is%20my%20OATH%20TOTP%20token.%3C%2FP%3E%3CP%3EThis%20is%20my%20test%20tenant.%3C%2FP%3E%3CP%3EMy%20production%20tenant%20also%20accepts%20more%20than%20one%20OTP%20in%20the%20%22Verification%20code%22%20field%20as%20I%20have%20enrolled%202%20different%20apps%20(%20in%20fact%20an%20app%26nbsp%3Band%20a%20programmable%20token)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-291233%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-291233%22%20slang%3D%22en-US%22%3E%3CP%3EI%20should%26nbsp%3B%20note%20that%20I%20am%20in%20the%20preview%20experience.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F232900%22%20target%3D%22_blank%22%3E%40Emin%20Huseynov%3C%2FA%3E.%26nbsp%3B%20%26nbsp%3BAre%20you%20saying%20that%20you%20can%20pick%20the%20%22Use%20the%20verification%20code%20from%20the%20mobile%20app%22%20option%20and%20use%20either%20the%20hardware%20token%20or%20authenticator%20code%2C%20from%20the%20single%20option%3F%26nbsp%3B%20Or%2C%20are%20you%20seeing%20two%20options%3F%26nbsp%3B%20%26nbsp%3BIn%20your%20original%20post%2C%20you%20note%20that%20there%20is%20no%20hardware%20token%20option%20displayed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F160477%22%20target%3D%22_blank%22%3E%40Michael%20McLaughlin%3C%2FA%3E%26nbsp%3B%20Thanks%2C%20I%20sent%20you%20a%20DM.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-291227%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-291227%22%20slang%3D%22en-US%22%3E%3CP%3EHey%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F44438%22%20target%3D%22_blank%22%3E%40Phillip%20Lyle%3C%2FA%3E%2C%20that%20shouldn't%20be%20the%20case.%20Could%20you%20send%20me%20a%20direct%20message%20with%20some%20more%20information%20about%20what%20you're%20experiencing%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-291218%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-291218%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F44438%22%20target%3D%22_blank%22%3E%40Phillip%20Lyle%3C%2FA%3E%26nbsp%3B%2C%20my%20experience%20is%20different.%20you%20can%20add%20the%20token%20and%20OTPs%20from%20both%20are%20accepted%20just%20fine.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-291208%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-291208%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20noticed%20that%20you%20can't%20use%20the%20verification%20code%20from%20the%20Authenticator%20app%20and%20a%20hardware%20token%20simultaneously.%26nbsp%3B%20The%20hardware%20token%20replaces%20the%20%22Use%20a%20verification%20code%20from%20the%20app%22%20prompt%20during%20MFA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWill%20you%20be%20fixing%20this%20so%20that%20the%20hardware%20token%20is%20accurately%20represented%2C%20and%20the%20app%20code%20and%20hardware%20code%20can%20be%20used%20concurrently%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-288100%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-288100%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F160477%22%20target%3D%22_blank%22%3E%40Michael%20McLaughlin%3C%2FA%3E%26nbsp%3BAmazing%20job!%20Thank%20you%20for%20the%26nbsp%3Bsuper%20quick%20reaction%20to%20this%20matter.%20This%20will%20most%20definitely%20make%20the%20hardware-token%20a%20powerful%20option!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-288025%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-288025%22%20slang%3D%22en-US%22%3E%3CP%3EAnother%20mega-reply%20on%20the%20way!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F234619%22%20target%3D%22_blank%22%3E%40Hirmand%20Ebadi%3C%2FA%3E%20asked%20about%20user%20self-activation.%20Yes%2C%20we're%20absolutely%20planning%20that!%20It's%20a%20key%20scenario%20we're%20planning%20to%20build%2C%20basically%20as%20you%20described%20it.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F242951%22%20target%3D%22_blank%22%3E%40bob%20slav%3C%2FA%3E%2C%20no%20way%20to%20do%20mass%20activation%20today%2C%20but%20hopefully%26nbsp%3Bthe%20distributed%20approach%20helps%20you%20when%20we%20release%20it.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F235132%22%20target%3D%22_blank%22%3E%40abu%20shayeed%3C%2FA%3E%20asked%20about%20Safenet%20Mobilepass.%20It%20looks%20like%20a%20software%20OATH%20solution%3B%20we%20haven't%20tested%20it.%20In%20their%20documentation%20they%26nbsp%3Bsay%20it's%20OATH%20TOTP%20compatible%2C%20so%26nbsp%3Bchances%20are%20it's%20compatible%2C%20but%20I%20can't%20say%20for%20sure.%20I'd%20suggest%20contacting%20Gemalto%20to%20see%20if%20they%20have%20guidance.%26nbsp%3BHowever%2C%20if%20you're%20interested%20in%20a%20software%20authenticator%2C%20I'd%20suggest%20using%20the%20Microsoft%20Authenticator%20app%20to%20do%20push%20notification%20auth%2C%20which%20is%20a%20more%20seamless%20experience%20for%20your%20users.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F234516%22%20target%3D%22_blank%22%3E%40Michael%20Ranson%3C%2FA%3E%20-%20thanks%20for%20the%20steps!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-287535%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-287535%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20to%20see%20this%20and%20test%20out.%20To%20piggyback%20on%20Hirmand's%20question%20is%20there%20a%20way%20to%20do%20a%20mass%20activate%20of%20the%20token%20either%20via%20csv%20upload%20or%20powershell%20(rather%20than%20having%20to%20key%20in%20the%20OTP%20manually%20for%20each%20user)%3F%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-279061%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-279061%22%20slang%3D%22en-US%22%3E%3CP%3EI%20used%20the%20following%20steps%20to%20activate%20my%20Yubikey%205%26nbsp%3Bwith%26nbsp%3BAzure%20MFA.%20These%20steps%20might%20help%20others%20to%20generate%20their%20base32%20secrets.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Install%20oathtool%20on%20Ubuntu%3CBR%20%2F%3Eapt-get%20install%20oathtool%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20Create%20random%20hex%20secret%20key%3CBR%20%2F%3Ehead%20-10%20%2Fdev%2Furandom%20%7C%20md5sum%20%7C%20cut%20-b%201-30%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3.%20Generate%20base32%20secret%20with%20oathtool%20(grab%20one%20of%20your%20outputs%20from%20above%20and%20whack%20it%20in%20here%20instead)%3CBR%20%2F%3Eoathtool%20--totp%20--verbose%2008c7ee546c81a1648983e9d69e6e51%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E4.%20Create%20yubico%20oath%20(Install%20Yubico%20Manager%20and%20run%20below%20exe)%3CBR%20%2F%3Eykman.exe%20oath%20add%20Your%40tenancy.microsoft.com%3CBR%20%2F%3EEnter%20a%20secret%20key%20(base32)%3A%20BDD64VDMQGQWJCMD5HLJ43SR%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E5.%20Upload%20to%20Azure%20MFA%20and%20click%20Activate%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-278828%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-278828%22%20slang%3D%22en-US%22%3E%3CP%3EDear%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20any%20one%20of%20update%20me%20whether%20Safenet%20Mobilepass%20is%20supported%20in%20Azure%20cloud%20MFA.%20Did%20any%20one%20testing%20this%20feature.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20Advance%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-278365%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-278365%22%20slang%3D%22en-US%22%3E%3CP%3EDear%20Microsoft-Team%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFirst%20of%20all%20I%20am%20very%20happy%20to%20read%20that%20you%20support%20OAUTH-Tokens!%20We%20have%20already%20obtained%20some%20and%20apart%20from%20a%20few%20flaws%20(mentioned%20above%2C%20like%20not%20describing%20the%20OAUTH-Method%20distinctively%2C%20but%20still%20showing%20as%20Code%20from%20Authenticator%20App)%20it%20works%20very%20well.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20there%20is%20one%20thing%20that%20bothers%20our%20administrators%20and%20I%20hope%20that%20you%20will%20improve%20this%20once%20the%20Preview%20progresses%20into%20an%20official%20release%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20we%20receive%20the%20OAUTH-Hardwaretoken%20(e.g.%20SafeID%20-%20Deepnet)%20we%20register%20it%20on%20the%20Azure%20platform.%20This%20could%20be%20done%20for%20a%20bulk%20order%20of%20more%20than%201000%20devices%20with%20a%20csv-file.%20BUT%2C%20when%20we%20actually%20want%20to%20activate%20the%20OAUTH-Token%2C%20this%20has%20to%20be%20done%20by%20the%20Azure%20administrator%20as%20well%20-%20manually.%20He%20has%20to%20enter%20the%20generated%20code%20from%20every%20single%20hardware%20token%20that%20has%20been%20registered%20before.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20the%20other%20hand%2C%20with%20smartphones%20users%20can%20purchase%2C%20register%20and%20activate%20the%20authenticator%20app%20on%20that%20particular%20device%20themselves%20without%20the%20need%20of%20an%20administrator.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EMy%20question%3A%3C%2FSTRONG%3E%20Do%20you%20think%20you%20can%20create%20a%20process%2C%20where%20IT%20can%20register%20OAUTH-hardware%20tokens%20(not%20FIDO%2C%20but%20SafeID%20-%20Deepnet)%20on%20Azure%20through%20CSV%20files%2C%20but%20let%20users%20activate%20the%20hardware%20tokens%20themselves%3F%20I%20would%20imagine%20that%20during%20the%20activation%20process%20the%20azure%20will%20check%20the%20serialnumber%20of%20the%20token%20to%20verify%20that%20the%20token%20has%20been%20registered%20through%20an%20Azure%20administrator%20and%20thus%20make%20it%20trustworthy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20would%20be%20such%20a%20relief%2C%20since%20users%20could%20even%20obtain%20hardware%20tokens%20themselves%20in%20case%20of%20a%20loss%20or%20theft%2C%20contact%20our%20IT%2C%20pass%20through%20the%20serial%20number%2C%20get%20their%20hardware%20token%20registered%20and%20then%20activate%20the%20hardware%20token%20themselves.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20consideration!%3C%2FP%3E%3CP%3ECheers%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277959%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277959%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20to%20get%20some%20more%20information%20on%20this.%20We've%20been%20hoping%20this%20would%20be%20added%20for%20a%20few%20months%20now.%3C%2FP%3E%3CP%3EGoing%20to%20get%20some%20new%20OATH%20tokens%20to%20give%20this%20a%20go%20straight%20away...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277561%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277561%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F160477%22%20target%3D%22_blank%22%3E%40Michael%20McLaughlin%3C%2FA%3E%26nbsp%3B%2C%20%22%3CSPAN%3EActivating%20OATH%20doesn't%20change%20any%20credentials%20already%20registered%20for%20a%20user!%20It%20just%20sets%20OATH%20as%20their%20default%20MFA%20method%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EEditing%20my%20comments%20(maybe%20something%20was%20fixed%20recently%20%3A)%3C%2Fimg%3E%20)%20%2C%20I%20confirm%20importing%20MFA%20%3CSTRONG%3Edoes%20not%20break%20SMS%2FPhone%20MFA%20method.%20%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EHowever%2C%20it%3CSTRONG%3E%20is%20not%20setting%20OATH%20token%20as%20primary%20MFA%20method%3C%2FSTRONG%3E%2C%20after%20activating%20the%20token%20I%20still%20had%20the%20phone%20as%20my%20primary%20method%20(which%20is%20fine).%20Also%2C%20the%20login%20page%26nbsp%3Basks%20for%20%22mobile%20authenticator%22%2C%20although%20the%20OTP%20from%20the%20token%20was%20accepted%20with%20no%20issues.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EOn%20the%20figure%20below%2C%20what%20the%20page%20asks%20for%20is%2C%20in%20fact%2C%20a%20code%20from%20my%20token%2C%20not%20my%20app%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20475px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F58184i400929A225807B5C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22image.png%22%20title%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EOn%20the%20aka.ms%2Fmfasetup%20page%26nbsp%3B%20the%20name%20of%20the%20profile%20is%20made%20of%20the%20token%20name%20and%20its%20serial%20number.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EOn%20the%20same%20page%2C%20users%20can%20change%20the%20default%20MFA%20method%20from%20phone%20to%20token%2C%20but%20again%2C%20the%20there%20is%20no%20%22OATH%20token%22%20in%20the%20list%2C%20it%20still%20says%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%22app%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20730px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F58183i20FDBF1D2EBFFC46%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22image.png%22%20title%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIt%20is%20also%20important%20to%20mention%20that%20multiple%20MFA%20devices%20work%20transparently%20fine%2C%20in%20addition%20to%20the%20hardware%20token%20I%20managed%20to%20add%20a%20mobile%20app%20profile%20(Google%20Authenticator)%20and%20it%20worked%20just%20fine%2C%20accepting%20both%20the%20hardware%20token%20and%20app-generated%26nbsp%3BOTP%20without%20any%20issues.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20742px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F58186iC67C4C6BF0312B66%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22image.png%22%20title%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277540%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277540%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20folks!%20Thanks%20for%20all%20the%20great%20comments.%20I'll%20respond%20to%20them%20all%20here.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EQ%3A%20%22Why%20is%20this%20in%20the%20MFA%20Server%20blade%20in%20the%20Azure%20Portal%3F%22%3C%2FP%3E%0A%3CP%3EA%3A%20Great%20question--we're%20continuing%20to%20evolve%26nbsp%3Bour%20UX%20for%20MFA%20and%20credentials%20management.%26nbsp%3BThe%20next%20stage%20isn't%20ready%20yet%2C%20but%20when%20it%20is%2C%20OATH%20tokens%20will%20move%20to%20a%20better%20aligned%2C%20more%20aptly-named%20location.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EQ%3A%20%22FIDO2%20and%20FIDO%20U2F%3F%22%3C%2FP%3E%0A%3CP%3EA%3A%20Yes%2C%20we%20love%20FIDO2!%26nbsp%3BAt%20Ignite%2C%20we%20announced%20private%20preview%20for%20FIDO2%20support%2C%20and%20we're%20shooting%20for%20public%20preview%20early%20in%202019.%20We%20don't%20have%20plans%2C%20though%2C%20for%20FIDO%20U2F--we%20think%20going%20passwordless%20is%20much%20more%20important%20than%20having%26nbsp%3Byet%20another%20second%20factor.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EQ%3A%20%22Once%20OATH%20is%20activated%20for%20a%26nbsp%3B%20user%2C%20can%20they%20not%20sign-in%20using%20SMS%20or%20mobile%20app%3F%22%3C%2FP%3E%0A%3CP%3EA%3A%20Activating%20OATH%20doesn't%20change%20any%20credentials%20already%20registered%20for%20a%20user!%20It%20just%20sets%20OATH%20as%20their%20default%20MFA%20method.%20If%20the%20user%20wants%20to%26nbsp%3BSMS%2C%20app%2C%20or%20any%20other%20cred%2C%20they%20can%20click%20%22Sign-in%20another%20way%22%20on%20the%20MFA%20screen.%20They%20can%20also%20change%20their%20default%20at%26nbsp%3BMyApps%20%26gt%3B%20Profile%20%26gt%3B%20Edit%20Security%20Info.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EQ%3A%20%22Is%20there%20a%20way%20to%20disable%20support%20for%20multiple%20devices%3F%22%3C%2FP%3E%0A%3CP%3EA%3A%20No%2C%26nbsp%3Bit's%20on%20for%20all%20users.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EQ%3A%20%22What%20is%20the%20recommended%20procedure%20in%20case%20the%20token%20is%20damaged%2Flost%2Fstolen%3F%22%3C%2FP%3E%0A%3CP%3EA%3A%20An%20admin%20can%20delete%20the%20token%20from%20the%20user%20in%20the%20admin%20interface.%26nbsp%3BThe%20user%20can%20also%20deactivate%20their%20token%20themselves%20from%20MyApps%20%26gt%3B%20Profile%20%26gt%3B%20Edit%20Security%20Info.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EQ%3A%20%22Why%20is%20the%20MFA%20Server%20blade%20saying%20we%20don%60t%20have%20an%20Azure%20Premium%20License%3F%22%3C%2FP%3E%0A%3CP%3EA%3A%20It's%20a%20bug--sorry!%20We%20have%20a%20fix%20coded%20and%20are%20going%20to%20deploy%20shortly.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277487%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277487%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F233339%22%20target%3D%22_blank%22%3E%40Kris%20Cears%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F233280%22%20target%3D%22_blank%22%3E%40DANIEL%20LOWE%3C%2FA%3E%26nbsp%3BThe%20index%20page%20always%20shows%20%22Get%20Free%20Premium%22%2C%20but%20you%20should%20have%20%22OATH%20Tokens%22%20menu%20items%20as%20shown%20here%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20758px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F58153iA45A60EE519EB61C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22image.png%22%20title%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277481%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277481%22%20slang%3D%22en-US%22%3E%3CP%3E%40%20Daniel%20Lowe%2C%20I%20was%20just%20in%20our%20tenant%20yesterday%20and%20noticed%20the%20same%20thing%2C%20which%20surprised%20me%20as%20we%20have%20EMS%20E5%20licenses%20for%20all%20users.%20I%20noticed%20though%20that%20I%20could%20still%20click%20into%20the%20different%20options%20under%20MFA%20Server%20and%20configure%20them.%20I%20just%20checked%20a%20demo%20tenant%20I%20have%2C%20which%20includes%20EMS%20E3%2C%20and%20it%20does%20the%20same%20thing%2C%20so%20I%20think%20that%20Overview%20page%20for%20MFA%20Server%20is%20static%20and%20always%20shows%20the%20licensing%20message.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277417%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277417%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EGreat%20news%2C%20been%20waiting%20for%20this%20feature%20for%20awhile%20now%2C%20but%20when%20i%20try%20enabling%20this%20and%20we%20click%20on%20MFA%20Server%20it%20shows%20we%20don%60t%20have%20a%20Azure%20Premuim%20License%3F%26nbsp%3B%20We%20currently%20have%20a%20A3%20License%2C%20which%20includes%20Azure%20AD%20Premium%20P1%20licenses.%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277238%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277238%22%20slang%3D%22en-US%22%3EGreat%20news!%20Looking%20forward%20to%20get%20new%20features%20GA%20soon.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277211%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277211%22%20slang%3D%22en-US%22%3E%3CP%3EI%20hate%20to%20be%20that%20guy%20that%20gets%20what%20he%20has%20been%20waiting%20for%20but%20then%20asks...%20Is%20there%20a%20way%20to%20disable%20%22support%20for%20multiple%20devices%22%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277205%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277205%22%20slang%3D%22en-US%22%3E%3CP%3ETo%20the%20comment%20about%20the%20YubiKey%205%20not%20being%20supported%20by%20the%20Yubico%20Authenticator%20App%2C%20it%20should%20work%20fine.%26nbsp%3B%20I%20double%20checked%20and%20I%20was%20able%20to%20set%20up%20a%20YubiKey%205%20without%20any%20issues.%26nbsp%3B%20If%20you%20are%20seeing%20an%20issue%2C%20let%20us%20know.%26nbsp%3B%20The%20best%20way%20to%20contact%20Yubico%20is%20via%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.yubico.com%2Fsupport%2Ftickets%2Fnew%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.yubico.com%2Fsupport%2Ftickets%2Fnew%26nbsp%3B%3C%2FA%3E%20but%20you%20can%20reach%20out%20to%20me%20too.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBTW%2C%20we%20just%20published%20our%20how%20to%20guide%20on%20implementing%20YubiKeys%20with%20Azure%20MFA.%26nbsp%3B%20Check%20it%20out.%20%3CA%20href%3D%22https%3A%2F%2Fsupport.yubico.com%2Fsupport%2Fsolutions%2Farticles%2F15000016486-using-yubikeys-with-azure-mfa%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.yubico.com%2Fsupport%2Fsolutions%2Farticles%2F15000016486-using-yubikeys-with-azure-mfa%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EExcited%20to%20see%20Azure%20MFA%20support!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDavid%20Treece%3C%2FP%3E%3CP%3EYubico%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277192%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277192%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20definitely%20a%20great%20improvement.%20Any%20chance%20we'll%20see%20Universal%20Two%20Factor%20(U2F)%20supported%20anytime%20soon%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Foffice365.uservoice.com%2Fforums%2F264636-general%2Fsuggestions%2F8703772-fido-u2f%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EPlease%20vote%20for%20U2F%20on%20UserVoice!%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277149%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277149%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EAm%20I%20getting%20it%20right%20that%20an%20OATH%20token%20activated%20user%20cannot%20login%20using%20sms%20or%20mobile%20app%3F%20What%20is%20the%20recommended%20procedure%20in%20case%20the%20token%20is%20damaged%2Flost%2Fstolen%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277048%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277048%22%20slang%3D%22en-US%22%3E%3CP%3EFido2%20keys%20(with%20biometrics)%20support%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277033%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277033%22%20slang%3D%22en-US%22%3E%3CP%3ECareful%20with%20Yubikey%205%20%2C%20has%20their%20App%20is%20not%20yet%20supported.%26nbsp%3B%20Go%20with%20another%20model.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277010%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277010%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20why%20is%20this%20feature%2C%20available%20only%20for%20Azure%20MFA%20%22in%20the%20cloud%22%2C%20configurable%20via%20a%20blade%20called%20%22MFA%20server%22%2C%20most%20of%20the%20settings%20on%20which%20%22%3CSPAN%20style%3D%22text-align%3A%20left%3B%20color%3A%20rgb(0%2C%200%2C%200)%3B%20text-transform%3A%20none%3B%20text-indent%3A%200px%3B%20letter-spacing%3A%20normal%3B%20font-family%3A%20az_ea_font%2C%26quot%3BSegoe%20UI%26quot%3B%2Cwf_segoe-ui_normal%2C%26quot%3BSegoe%20WP%26quot%3B%2CTahoma%2CArial%2Csans-serif%3B%20font-size%3A%2012px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20text-decoration%3A%20none%3B%20word-spacing%3A%200px%3B%20float%3A%20none%3B%20display%3A%20inline%20!important%3B%20white-space%3A%20normal%3B%20orphans%3A%202%3B%20background-color%3A%20transparent%3B%20-webkit-text-stroke-width%3A%200px%3B%22%3Eonly%20applies%20to%20MFA%20Server%20deployment%3C%2FSPAN%3E%22%3F%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-433351%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-433351%22%20slang%3D%22en-US%22%3E%3CP%3EIt's%20my%20understanding%20that%26nbsp%3BOAuth%20with%20TOTP%20has%20no%20means%20of%20verifying%20the%20actual%20URL%20of%20the%20page%20displaying%20the%20request%20for%20the%20MFA%20code%2C%20so%20attackers%20are%20now%20just%20making%20fraudulent%20fake%20MFA%20request%20webpages%20and%20phishing%20the%20TOTP%20codes%2C%20much%20like%20they've%20been%20doing%20for%20passwords%20for%20decades.%26nbsp%3B%20Meaning%20that%20OAuth%20will%20only%20protect%20us%20from%20incompetent%20attackers%20and%20persistent%20recurring%20login%20breaches%20(since%20attackers%20would%20need%20to%20Phish%20the%20TOTP%20code%20each%20time%20they%20logged%20in...)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20that%20vulnerability%20to%20Phishing%20accurate%3F%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3BOr%20is%20there%20Phishing%20protection%20in%20OAuth%20like%20U2F%20and%20FIDO2%20have%3F%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-434408%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-434408%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318931%22%20target%3D%22_blank%22%3E%40Torsion-Limit%3C%2FA%3E%26nbsp%3B%20%2C%26nbsp%3Bthere%20is%20nothing%20that%20can%20fully%20protect%20all%20users%2C%20and%20overall%26nbsp%3Bthese%20techniques%20are%20still%20a%20balance%20between%20security%20and%20user%20experience%3C%2FP%3E%3CP%3EAssuming%20the%20first%20factor%20is%20compromised%3A%3C%2FP%3E%3CP%3E-%20TOTP%20phishing%20is%20theoretically%20possible%20mainly%20in%20a%20%22manual%22%20mode.%20Meaning%20that%20the%20victim%20should%20be%20targeted%20and%20the%20attack%20itself%20can%20be%20performed%20in%20real-time.%26nbsp%3B%3C%2FP%3E%3CP%3E-%20If%20we%20are%20talking%20about%20such%20targeted%20attacks%2C%26nbsp%3B%20U2F%20is%20also%20not%20100%25%20secure%20-%20the%20attacker%20would%20only%20need%20physical%20access%20to%20the%20U2F%20key%20for%20a%20short%20time%20%3A%20the%20attacker%20will%26nbsp%3B%20need%20to%20log%20in%2C%20enrol%20another%20key%20and%20put%20the%20original%20key%20back.%20Stealing%20a%20U2F%20key%20is%20harder%20that%20TOTP%20phishing%2C%20but%20this%20would%20give%20permanent%20access%20(whereas%20with%20TOTP%20they%20%22%3CSPAN%3Eneed%20to%20Phish%20the%20TOTP%20code%20each%20time%20they%20logged%20in%22)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThere%20are%20other%20(less%20common)%20aspects%20of%20U2F%20security%20to%20be%20aware%20of%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.wired.com%2Fstory%2Fchrome-yubikey-phishing-webusb%2F%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.wired.com%2Fstory%2Fchrome-yubikey-phishing-webusb%2F%26nbsp%3B%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E-%20FIDO2%20with%20biometrics%20is%20more%20secure%20and%20phish-proof%20(and%20Microsoft%20is%20moving%20that%20direction)%2C%20but%20it%20has%20its%20own%20downsides.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EMain%20being%20having%20to%20plug%20something%20to%20your%20USB%20port%20(which%20is%20disabled%20btw%20in%20many%20organizations)%2C%20and%20this%20is%20something%20many%20users%20would%20like%20to%20avoid.%20It%20has%20its%20own%20risks%20as%20well%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.secsign.com%2Fusb-authentication-keys-tokens-bad-idea%2F%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.secsign.com%2Fusb-authentication-keys-tokens-bad-idea%2F%26nbsp%3B%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-541181%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-541181%22%20slang%3D%22en-US%22%3E%3CP%3EIt's%20my%20understanding%20that%20this%20only%20supports%20the%20old%20(proven%20to%20be%20insecure)%20sha-1%20for%20hardware%20tokens.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewhen%20are%20we%20going%20to%20get%20sha-256%20support%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-541373%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-541373%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CP%3E%3CSPAN%3Ethe%20old%20(proven%20to%20be%20insecure)%20sha-1%20for%20hardware%20tokens.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F336887%22%20target%3D%22_blank%22%3E%40blob63%3C%2FA%3E%26nbsp%3B%2C%20with%20TOTP%20SHA-1%20is%20used%20only%20for%20generating%20a%20secret%20key%20and%20is%20not%20really%20a%20pure%20SHA-1%2C%20it%20is%20HMAC-SHA1.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EHere%20is%20a%20quote%20from%20another%20discussion%20of%20this%20topic%3A%3C%2FSPAN%3E%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3E%3CSPAN%3E1)%20the%20TOTP%20algorithm%20SHA-hashes%20a%20constantly-changing%20%E2%80%9Cdocument%E2%80%9D%2C%20composed%20of%20a%20per-user%20secret%20key%20and%20the%20current%20timestamp%20(pegged%20to%2030-second%20time%20steps)%2C%20and%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E2)%20the%206-digit%20nonce%20that%E2%80%99s%20generated%20is%20checked%20at%20the%20server%20side%2C%20which%20can%20do%20simple%20rate-limiting%20(e.g.%20get%20it%20wrong%20twice%2C%20and%20you%20have%20to%20wait%20till%20the%20next%2030-second%20period%E2%80%A6which%20requires%20a%20new%20nonce)%26nbsp%3B%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3EA%20bit%20off-topic%2C%20but%20when%20it%20comes%20to%20one-time%20password%2C%20even%20%3CA%20href%3D%22http%3A%2F%2Fmotp.sourceforge.net%2Fmd5.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMD5%3C%2FA%3E%20is%20secure%20enough.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-652566%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-652566%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20some%20time%20has%20passed%20since%20last%20autumn.%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F160477%22%20target%3D%22_blank%22%3E%40Michael%20McLaughlin%3C%2FA%3E%20is%20there%20an%20news%20on%20the%20user%20self%20enrollment%20for%20OATH%20tokens%3F%3C%2FP%3E%3CP%3EI%20really%20like%20the%20idea%20to%20utilizing%20tokens%20in%20AAD%20MFA%2C%20rather%20than%20going%20for%20an%20alternate%20MFA%20provider%20in%20Azure.%26nbsp%3B%20But%20the%20admin%20experience%20right%20now%20ist%20not%20handy%20for%20a%2065000%20user%20tenant%20%E2%80%A6.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-686718%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-686718%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EDeepnet%20Security%20has%20now%20created%20a%20new%20web%20page%20dedicated%20to%20hardware%20tokens%20for%20Azure%20MFA%20and%20Office%20365%2C%20and%20provides%20information%20of%20how%20to%20use%20SafeID%20tokens%20with%20Azure%20MFA%20(see%20following%20link)%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22http%3A%2F%2Fwww.deepnetsecurity.com%2Fauthenticators%2Fone-time-password%2Fsafeid%2Fhardware-mfa-tokens-office-365-azure-multi-factor-authentication%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.deepnetsecurity.com%2Fauthenticators%2Fone-time-password%2Fsafeid%2Fhardware-mfa-tokens-office-365-azure-multi-factor-authentication%2F%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-725538%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-725538%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20updates%20on%20when%20this%20will%20be%20GA%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-276466%22%20slang%3D%22en-US%22%3EHardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-276466%22%20slang%3D%22en-US%22%3E%3CP%3EHowdy%20folks!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%E2%80%99m%20excited%20to%20announce%20the%20public%20preview%20of%20hardware%20OATH%20tokens%20in%20Azure%20Multi-Factor%20Authentication%20(Azure%20MFA)%20in%20the%20cloud!%20We%E2%80%99ve%20had%20several%20phone-based%20methods%20available%20since%20launching%20Azure%20MFA%2C%20and%20we%E2%80%99ve%20seen%20incredible%20adoption.%20But%20many%20of%20our%20customers%20have%20users%20who%20don%E2%80%99t%20have%20a%20phone%20available%20when%20they%20need%20to%20authenticate.%20Today%2C%20MFA%20is%20available%20for%20those%20users%20too!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAt%20the%20same%20time%2C%20we%20added%20support%20for%20multiple%20MFA%20devices.%20Your%20users%20can%20now%20have%20up%20to%20five%20devices%20in%20any%20combination%20of%20hardware%20or%20software%20based%20OATH%20tokens%20and%20the%20Microsoft%20Authenticator%20app.%20This%20gives%20them%20the%20ability%20to%20have%20backup%20devices%20ready%20when%20they%20need%20them%20and%20to%20use%20different%20types%20of%20credentials%20in%20different%20environments.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMultiple%20device%20support%20is%20available%20for%20all%20users%20with%20Azure%20Active%20Directory%20(Azure%20AD)%20MFA%20in%20the%20cloud.%20Hardware%20OATH%20tokens%20are%20available%20for%20users%20with%20an%20Azure%20AD%20Premium%20P1%20or%20P2%20license.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECheck%20out%20our%20%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-authentication-methods%23oath-hardware-tokens%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ecredential%20docs%3C%2FA%3E%3C%2FSPAN%3E%20and%20read%20on%20to%20try%20out%20hardware%20OATH%20tokens%20in%20your%20tenant.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1505537623%22%20id%3D%22toc-hId-1505537623%22%20id%3D%22toc-hId-1505537623%22%20id%3D%22toc-hId-1505537623%22%20id%3D%22toc-hId-1505537623%22%20id%3D%22toc-hId-1505537623%22%20id%3D%22toc-hId-1505537623%22%20id%3D%22toc-hId-1505537623%22%20id%3D%22toc-hId-1505537623%22%20id%3D%22toc-hId-1505537623%22%20id%3D%22toc-hId-1505537623%22%20id%3D%22toc-hId-1505537623%22%20id%3D%22toc-hId-1505537623%22%20id%3D%22toc-hId-1505537623%22%20id%3D%22toc-hId-1505537623%22%20id%3D%22toc-hId-1505537623%22%3ESupport%20for%20OATH%20tokens%20for%20Azure%20MFA%20in%20the%20cloud%3C%2FH3%3E%0A%3CP%3EFirst%2C%20you%20will%20need%20some%20OATH%20tokens%20from%20the%20vendor%20of%20your%20choice.%20You%20can%20use%20any%20OATH%20TOTP%20token%20with%20a%2030-%20or%2060-second%20refresh%20that%20has%20a%20secret%20key%20of%20128%20characters%20or%20less.%20Some%20vendors%20include%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3E%3CA%20href%3D%22http%3A%2F%2Fwww.deepnetsecurity.com%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EDeepNet%20Security%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.token2.com%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EToken2%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.yubico.com%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EYubico%3C%2FA%3E%3C%2FSPAN%3E%20(Requires%20an%20accessory%20app.)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EBecause%20OATH%20is%20a%20standard%2C%20you%E2%80%99re%20not%20locked%20to%20a%20single%20vendor%20or%20form%20factor.%20Once%20you%20purchase%20the%20keys%20from%20your%20vendor%2C%20they%20need%20to%20send%20you%20a%20file%20with%20a%20secret%20key%2C%20serial%20number%2C%20time%20interval%2C%20manufacturer%2C%20and%20model%20for%20each%20token.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20assign%20the%20tokens%20to%20users%2C%20edit%20that%20file%20to%20add%20your%20user%E2%80%99s%20user%20principal%20names%20(usually%20their%20email%20address)%20and%20then%20upload%20it%20to%20%3CSTRONG%3EAzure%20Porta%3C%2FSTRONG%3El%20%26gt%3B%20%3CSTRONG%3EAzure%20Active%20Directory%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EMFA%20Server%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EOATH%20tokens%3C%2FSTRONG%3E.%20Make%20sure%20to%20use%20the%20format%20described%20in%20the%20%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-authentication-methods%23oath-hardware-tokens%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edocs%3C%2FA%3E%3C%2FSPAN%3E%E2%80%94the%20secret%20is%20in%20base%2032!%20Also%20keep%20the%20header%20row%20in%20the%20file.%20Then%2C%20activate%20each%20token%20and%20hand%20them%20out%20to%20your%20users.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F57943iE7E75D10219DD926%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Azure%20MFA%20in%20the%20cloud.png%22%20title%3D%22Azure%20MFA%20in%20the%20cloud.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--1046619338%22%20id%3D%22toc-hId--1046619338%22%20id%3D%22toc-hId--1046619338%22%20id%3D%22toc-hId--1046619338%22%20id%3D%22toc-hId--1046619338%22%20id%3D%22toc-hId--1046619338%22%20id%3D%22toc-hId--1046619338%22%20id%3D%22toc-hId--1046619338%22%20id%3D%22toc-hId--1046619338%22%20id%3D%22toc-hId--1046619338%22%20id%3D%22toc-hId--1046619338%22%20id%3D%22toc-hId--1046619338%22%20id%3D%22toc-hId--1046619338%22%20id%3D%22toc-hId--1046619338%22%20id%3D%22toc-hId--1046619338%22%20id%3D%22toc-hId--1046619338%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId-696190997%22%20id%3D%22toc-hId-696190997%22%20id%3D%22toc-hId-696190997%22%20id%3D%22toc-hId-696190997%22%20id%3D%22toc-hId-696190997%22%20id%3D%22toc-hId-696190997%22%20id%3D%22toc-hId-696190997%22%20id%3D%22toc-hId-696190997%22%20id%3D%22toc-hId-696190997%22%20id%3D%22toc-hId-696190997%22%20id%3D%22toc-hId-696190997%22%20id%3D%22toc-hId-696190997%22%20id%3D%22toc-hId-696190997%22%20id%3D%22toc-hId-696190997%22%20id%3D%22toc-hId-696190997%22%20id%3D%22toc-hId-696190997%22%3ESupport%20for%20multiple%20devices%20in%20Azure%20MFA%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20addition%20to%20hardware%20tokens%2C%20we%20also%20rolled%20out%20support%20for%20multiple%20authenticator%20devices.%20Your%20users%20can%20now%20have%20up%20to%20five%20devices%20across%20the%20Authenticator%20app%2C%20software%20OATH%20tokens%2C%20and%20hardware%20OATH%20tokens.%20This%20is%20great%20to%20give%20your%20users%20different%20devices%20for%20different%20environments%20and%20to%20let%20them%20have%20backup%20devices%20in%20case%20they%20lose%20one%20or%20forget%20one%20at%20home.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMultiple%20device%20support%20is%20available%20today%20for%20all%20users%E2%80%94there%E2%80%99s%20nothing%20you%20need%20to%20do%20to%20get%20started!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThese%20are%20just%20the%20start%20of%20a%20lot%20of%20changes%20we%E2%80%99re%20making%20to%20MFA%20and%20authentication%20in%20Azure%20as%20we%20drive%20toward%20a%20password-less%20future%2C%20so%20stay%20tuned%20here%20to%20learn%20more%20about%20the%20amazing%20developments%20as%20they%20come.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20also%26nbsp%3Blet%20us%20know%20what%20you%20think%20in%20the%20comments%20below.%20As%20always%2C%20we%E2%80%99d%20love%20to%20hear%20any%20feedback%20or%20suggestions%20you%20have.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20regards%2C%3C%2FP%3E%0A%3CP%3EAlex%20Simons%20(%40Alex_A_Simons%26nbsp%3B)%3C%2FP%3E%0A%3CP%3ECorporate%20VP%20of%20Program%20Management%3C%2FP%3E%0A%3CP%3EMicrosoft%20Identity%20Division%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-276466%22%20slang%3D%22en-US%22%3E%3CP%3EI%E2%80%99m%20excited%20to%20announce%20the%20public%20preview%20of%20hardware%20OATH%20tokens%20in%20Azure%20Multi-Factor%20Authentication%20(Azure%20MFA)%20in%20the%20cloud!%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-276466%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EProduct%20Announcements%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-789456%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-789456%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20have%20an%20update%20on%20when%20user%20self-activation%2Fregistration%20will%20be%20available%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-376763%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-376763%22%20slang%3D%22en-US%22%3E%3CP%3EDeepnet's%20SafeID%20hardware%20can%20be%20used%20to%20provide%20Azure%20Multi-Factor%20authentication%20on%20cloud%20and%20On-Premises%20Servers%20(see%20link%20below)%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fwww.deepnetsecurity.com%2Fauthenticators%2Fone-time-password%2Fsafeid%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.deepnetsecurity.com%2Fauthenticators%2Fone-time-password%2Fsafeid%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-853799%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-853799%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20seems%20that%20when%20you%20use%20the%20Yubikey%20token%2C%20app%20passwords%20are%20no%20longer%20available...%20is%20this%20a%20bug%20or%20%22works%20as%20designed%3F%22%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-891345%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-891345%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESomeone%20may%20find%20useful%20this%20comprehensive%20article%20on%20how%20to%20use%20OATH%20hardware%20tokens%20with%20Azure%20MFA%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fwww.protectimus.com%2Fblog%2Fhardware-token-azure-mfa%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.protectimus.com%2Fblog%2Fhardware-token-azure-mfa%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-917475%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-917475%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Everybody%3C%2FP%3E%3CP%3EWe%20are%20looking%20at%20implementing%20a%20hardware%20token%20device%20for%20use%20with%20MFA%20and%20Conditional%20Access.%20I%20see%20no%20mention%20of%20Conditional%20Access%20in%20any%20of%20these%20posts.%20So%20are%20these%20devices%20only%20compatible%20with%20the%20traditional%20MFA%20solution%20within%20Azure%2C%20or%20are%20they%20also%20compatible%20with%20Conditional%20Access%20MFA.%20Thanks%20for%20any%20advice%20given.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-917588%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-917588%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20far%20as%20I%20know%2C%20Conditional%20Access%20requires%20a%20premium%20license%20(P1%20or%20P2).%20Thus%2C%20you%20can%20use%20any%20%3CA%20href%3D%22https%3A%2F%2Fwww.protectimus.com%2Ftokens%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EOATH%20hardware%20tokens%3C%2FA%3E.%20I%20believe%20this%20article%20can%20answer%20your%20question%20and%20provide%20information%20on%20how%20to%20implement%20hardware%20tokens%20while%20deploying%20Azure%20MFA%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-mfa-getstarted%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-mfa-getstarted%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-918840%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918840%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20created%20a%20number%20of%20bulk%20programmatic%20approaches%20to%20prepare%20and%20assign%20users%20hardware%20tokens%20(200%20for%20now)%20for%20TOTP%20use.%26nbsp%3B%20One%20area%20we%20haven't%20found%20a%20solution%20for%20is%20bulk%20activating%20the%20tokens%20once%20ingested%20into%20the%20portal%20-%20we%20have%20programmatic%20ways%20to%20leverage%20the%20assigned%20secret%20key%20for%20each%20token%20to%20generate%20the%20TOTP%20pin%20for%20activation%2C%20but%20know%20of%20no%20way%20to%20call%20for%20the%20activation%20itself%20-%20is%20there%20a%20solution%20today%20that%20can%20accomplish%20this%20task%20outside%20of%20individually%20'clicking'%20to%20activate%20with%20the%20a%20code%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-918878%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918878%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F428956%22%20target%3D%22_blank%22%3E%40jjordon%3C%2FA%3E%20-%20We%20don't%20support%20this%20capability%20today%2C%20we%20will%20consider%20it%20for%20future%20release.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-966825%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-966825%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20way%20to%20generate%20temp%20token%20on%20behalf%20of%20user%20when%20they%20call%20support%20and%20provide%20access%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-976867%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-976867%22%20slang%3D%22en-US%22%3EHi!%20Noob%20question%20here%20but%20I%20can't%20quite%20understand%20our%20MFA%20options%20when%20using%20PTA%20instead%20of%20ADFS.%20I%20read%20we%20can%2C%20under%20Conditional%20Access%2C%20use%20some%203rd%20party%20MFA%20solutions%20(like%20Gemalto%2C%20Duo%2C%20RSA...)%20but%20what%20would%20be%20the%20point%2C%20really%3F%20Only%20having%20the%20possibility%20to%20also%20use%20hardware%20tokens%3F%20I%20don't%20get%20it.%20BTW%2C%20we%20already%20have%20P1%20or%20P2%20(don't%20remember%20which...)%20Our%20need%20is%20simply%20%3A%20Adding%20MFA%20with%20%22phone-as-a-token%22%20and%20hardware%20token%20solutions%2C%20combined%20with%20CARTA%20(Continuous%20Adaptive%20Risk%20and%20Trust%20Assessment)%20capabilities.%20Thanking%20you%20in%20advance.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1016507%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1016507%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20would%20be%20useful%20if%20there%20was%20an%20Azure%20role%20that%20could%20be%20assigned%20to%20a%20helpdesk%20user%20to%20just%20allow%20manipulation%20of%20the%20hardware%20tokens.%3C%2FP%3E%3C%2FLINGO-BODY%3E

Howdy folks!

 

I’m excited to announce the public preview of hardware OATH tokens in Azure Multi-Factor Authentication (Azure MFA) in the cloud! We’ve had several phone-based methods available since launching Azure MFA, and we’ve seen incredible adoption. But many of our customers have users who don’t have a phone available when they need to authenticate. Today, MFA is available for those users too!

 

At the same time, we added support for multiple MFA devices. Your users can now have up to five devices in any combination of hardware or software based OATH tokens and the Microsoft Authenticator app. This gives them the ability to have backup devices ready when they need them and to use different types of credentials in different environments.

 

Multiple device support is available for all users with Azure Active Directory (Azure AD) MFA in the cloud. Hardware OATH tokens are available for users with an Azure AD Premium P1 or P2 license.

 

Check out our credential docs and read on to try out hardware OATH tokens in your tenant.

 

Support for OATH tokens for Azure MFA in the cloud

First, you will need some OATH tokens from the vendor of your choice. You can use any OATH TOTP token with a 30- or 60-second refresh that has a secret key of 128 characters or less. Some vendors include:

Because OATH is a standard, you’re not locked to a single vendor or form factor. Once you purchase the keys from your vendor, they need to send you a file with a secret key, serial number, time interval, manufacturer, and model for each token.

 

To assign the tokens to users, edit that file to add your user’s user principal names (usually their email address) and then upload it to Azure Portal > Azure Active Directory > MFA Server > OATH tokens. Make sure to use the format described in the docs—the secret is in base 32! Also keep the header row in the file. Then, activate each token and hand them out to your users.

 

Azure MFA in the cloud.png

 

Support for multiple devices in Azure MFA

 

In addition to hardware tokens, we also rolled out support for multiple authenticator devices. Your users can now have up to five devices across the Authenticator app, software OATH tokens, and hardware OATH tokens. This is great to give your users different devices for different environments and to let them have backup devices in case they lose one or forget one at home.

 

Multiple device support is available today for all users—there’s nothing you need to do to get started!

 

These are just the start of a lot of changes we’re making to MFA and authentication in Azure as we drive toward a password-less future, so stay tuned here to learn more about the amazing developments as they come.

 

You can also let us know what you think in the comments below. As always, we’d love to hear any feedback or suggestions you have.

 

Best regards,

Alex Simons (@Alex_A_Simons )

Corporate VP of Program Management

Microsoft Identity Division

56 Comments
Regular Visitor

As far as I know, Conditional Access requires a premium license (P1 or P2). Thus, you can use any OATH hardware tokens. I believe this article can answer your question and provide information on how to implement hardware tokens while deploying Azure MFA: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted

Occasional Visitor

We have created a number of bulk programmatic approaches to prepare and assign users hardware tokens (200 for now) for TOTP use.  One area we haven't found a solution for is bulk activating the tokens once ingested into the portal - we have programmatic ways to leverage the assigned secret key for each token to generate the TOTP pin for activation, but know of no way to call for the activation itself - is there a solution today that can accomplish this task outside of individually 'clicking' to activate with the a code?

Hi @jjordon - We don't support this capability today, we will consider it for future release. 

Senior Member

Is there way to generate temp token on behalf of user when they call support and provide access ?

Occasional Visitor
Hi! Noob question here but I can't quite understand our MFA options when using PTA instead of ADFS. I read we can, under Conditional Access, use some 3rd party MFA solutions (like Gemalto, Duo, RSA...) but what would be the point, really? Only having the possibility to also use hardware tokens? I don't get it. BTW, we already have P1 or P2 (don't remember which...) Our need is simply : Adding MFA with "phone-as-a-token" and hardware token solutions, combined with CARTA (Continuous Adaptive Risk and Trust Assessment) capabilities. Thanking you in advance.
Frequent Visitor

It would be useful if there was an Azure role that could be assigned to a helpdesk user to just allow manipulation of the hardware tokens.