Hardware OATH tokens in Azure MFA in the cloud are now available

As far as I know, Conditional Access requires a premium license (P1 or P2). Thus, you can use any OATH hardware tokens. I believe this article can answer your question and provide information on how to implement hardware tokens while deploying Azure MFA: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted

We have created a number of bulk programmatic approaches to prepare and assign users hardware tokens (200 for now) for TOTP use.  One area we haven't found a solution for is bulk activating the tokens once ingested into the portal - we have programmatic ways to leverage the assigned secret key for each token to generate the TOTP pin for activation, but know of no way to call for the activation itself - is there a solution today that can accomplish this task outside of individually 'clicking' to activate with the a code?

Hi @jjordon - We don't support this capability today, we will consider it for future release. 

Is there way to generate temp token on behalf of user when they call support and provide access ?

It would be useful if there was an Azure role that could be assigned to a helpdesk user to just allow manipulation of the hardware tokens.

Why isn't this out of preview yet?

Hi Michael -

There have been other MFA priorities ahead of this.  Sorry it is taking so long. We are doing our best to get everything in MFA to GA in the next 6 months.

Regards,

Alex

whether entrust token supported

 Please let us know whether entrust token supported for azure mfa. if it is supported, can you please share some documents

Hi Alex, can you please give us an update when you expect the hardware OATH token feature to come out of GA? According to your last statement it could be soon. Our usecase is to supply the part of our big workforce that does not have a company phone and does not want to use their private devices with hardware tokens.

all

please let us know if entrust Hardware token or soft token supported with Azure mfa

Any update on support for OATH token self-registration for users?  Or even just an API we could call so that we could build our own?  We're trying to migrate from Azure MFA Server and also in the process of migrating from older USB tokens to OATH tokens, and the lack of self-registration or the ability to automate the process is a blocker for us.

Any idea when this will come out of Public Preview?  I am concerned that this has been in Public Preview for nearly 2 years.  It seems like an essential piece to an MFA rollout.

Do you have any new on support for SHA-256?

Thank you, Cool feature which released in 2018, and yet there is no custom RBAC role in Azure AD to deal with Hardware Token management. Why it's tagged to the Global Admin?

This is the response I got from Microsoft Premier Support. It's been 2 Years and the PG is still figuring out on RBAC? I don't think so. 

Any thoughts?

At this time, we have received feedback on the requirement of a Directory role to manage MFA configuration on Azure AD. Currently, only the Global Administrator has access to MFA related blades.

Our Product Group is working to have roles for MFA management as an improvement based on customer feedback but unfortunately, we have no ETA on when this will be available on Azure AD. 

We apologize on any inconvenience or confusion this could cause. Please feel free to let me know any questions or concerns on this in which I could help.

Hi @Alex Simons (AZURE) - Is there a way for admins to delete the authenticator apps set up by the user, in case if a user has registered for more than five authenticator apps and unable to login to myaccount as it's MFA enabled ?

Regards,

Padma

@paparth Does AAD allow to register more than 5 Authenticators for end users when it’s limited by admin?

@Alexey Goncharov - Nope, it doesn't. Upon sixth attempt to set up authenticator app, an error is thrown "You cannot have more than 5 hardware tokens or authenticator apps...."

@paparth I’m trying to get better understanding of your use case scenario when IT admins involvement might be required in the self-service environment, where end-users are managing their 2FAs by themselves?

@Alexey Goncharov - Let's assume the below,

1. Tenant A has MFA enabled for all users and configured the authenticator app as the only second factor (unable to enable other factors like SMS/e-mail due to security reasons)

2. User X from Tenant A had registered the authenticator app five times

3. User X has either lost or changed five devices (device is not in possession)

When user X logs into myapps/myaccount, it prompts for second factor. Since the user do not have a way to receive the second factor, user is unable to login. User then calls the admin and admin resets the user's MFA registration status.

When the user logs in again, user is prompted to register for second factor (which is mobile app), when user tries to register the authenticator app for the sixth time, user receives an error "You cannot have more than 5 hardware tokens or authenticator apps...."

Now the user cannot delete the existing registration since myapps/myaccounts are MFA enabled and there is no way for admin to delete those user registrations.

This is a kind of weird scenario, but not uncommon as few customers are experiencing this.

@paparth  Thanks for the detailed response, it’s really weird scenario, I fully agree with you. Perhaps, it might be easier to enable a temporary exception on Conditional Access rules (for instance, via temporary Azure AD group membership) to allow a user X to deactivate unused/unavailable 2FAs and enroll a new one, for example FIDO2 key(s). I strongly believe that self-service capabilities provided by IT folks to end users should prevail in such scenarios, as it’s usually more scalable and reliable solution in the long term. Moreover, it’s more cost effective ;)

@Alexey Goncharov - Thanks. Temporary exception with CA and with MFA enabled still forces the user for MFA. If you disable MFA, the link to update/remove the registered apps in myaccount disappears.

@jjordon - there is apparently a way to bulk activate as well https://medium.com/@token2/how-to-bulk-activate-oath-hardware-tokens-with-azure-mfa-f551eaa00501 

I'd also like to know about SHA256 support

Is a hardware token supported in a WVD and or a Citrix VDI scenario?

This would be useful in scenario in a call centre environment where users are not allowed to use their mobile device so cannot receive an sms, or use the authenticator app to retrieve their passcode.

What about these software solutions:

1. Authy: Free software, compatible also with Mac. Not open source and it requires a phone number to validate the user. https://authy.com/
2. Winauthy. Opensource, very easy to use. https://github.com/winauth/winauth
3. 2 Factor authenticator. Available in the Microsoft store, it can be made available in the company portal. https://www.microsoft.com/en-us/p/2-factor-authenticator/9nblggh5k7jn?activetab=pivot:overviewtab#
4. Oracle mobile authenticator on Microsoft store, it can be made available in the company portal.
   https://www.microsoft.com/it-it/p/oracle-mobile-authenticator/9nblggh4nsh8?activetab=pivot:overviewt...

At the end you cannot stop users to use them. Winauthy for example it's a portable one.

Thanks

Christian

Looking for functional, GEO-Poli, other opinions on Protectimus @ Ukraine products?

https://www.linkedin.com/search/results/people/?currentCompany=%5B%223602018%22%5D&origin=COMPANY_PA...

If you have functional experience with either of these products - I would appreciate your commentary.

https://www.protectimus.com/flex/

https://www.protectimus.com/protectimus-slim-mini/

Thanks in advance,

Hi, if you need instructions regarding setting up oath tokens for office 365 and azure you should find the following instructions handy;

Office 365 and Azure MFA using oath hardware tokens 

The article compares using programmable and non-programmable tokens (handy if your users don't have a P1 or P2 license), compares usng a basic and a premium license, and provides details on how to set up oath pre-programmed hardware tokens with Azure MFA.

Hi

Out of curiosity can anyone let me know when this Feature will become General Availability instead of Public Preview? I have not been able to find in Office 365 Road Map. While this is a great step in the right direction, the challenge I am having is Activation of tokens requires a Global Admin and am hopeful that changes when this becomes General Availability.

Otherwise it will complicate the overall lifecycle management of OATH Hardware Token(s) as we won't be able to cross train and empower others in our organizations unless we grant them Global Admin rights.

Hi @GuevaraCloud, we are working on an improved experience to resolve the challenge you're facing (amongst others). We will bring this new experience to Public Preview first, after which it will become General Available. I can't give any concrete timelines, as they are subject to change. Hopefully this explains why the current experience is never promoted to General Available.

Hi @luc-msft , the previous post does not explain how almost 5 years have gone by without any progress in the management of hardware oauth tokens.  Please at least add hardware token management to the graph APIs so we can code our own workarounds.  It would also be great if users could activate their own hardware token via the mysignins page after the tokens have been imported by an admin.  We have a situation where we have thousands of hardware tokens already in the field that we want to migrate to Entra MFA but activation is going to be a nightmare since you need the current code from the token which only the user can access.

@Damon Fischer The improved experienced I mentioned earlier will alleviate your concerns of end-user self-assignment and -activation. We are doing all we can to bring that experience to Public Preview as soon as possible but unfortunately I'm not in the position to share any timelines.

The year is 2024, this feature is still in preview and helpdesk still cannot assign tokens because it doesn't have a role and requires Global Admin

You might find the following wiki guide helpful if you want to use the SafeID tokens with azure or office 365: Using Hardware Tokens with Azure, and details for office compatible TOTP oath tokens can be found here: Microsoft compatible hardware tokens

Azure format seed files can then be uploaded and assigned to the users.