Hardware OATH tokens in Azure MFA in the cloud are now available

Howdy folks!


I’m excited to announce the public preview of hardware OATH tokens in Azure Multi-Factor Authentication (Azure MFA) in the cloud! We’ve had several phone-based methods available since launching Azure MFA, and we’ve seen incredible adoption. But many of our customers have users who don’t have a phone available when they need to authenticate. Today, MFA is available for those users too!


At the same time, we added support for multiple MFA devices. Your users can now have up to five devices in any combination of hardware or software based OATH tokens and the Microsoft Authenticator app. This gives them the ability to have backup devices ready when they need them and to use different types of credentials in different environments.


Multiple device support is available for all users with Azure Active Directory (Azure AD) MFA in the cloud. Hardware OATH tokens are available for users with an Azure AD Premium P1 or P2 license.


Check out our credential docs and read on to try out hardware OATH tokens in your tenant.


Support for OATH tokens for Azure MFA in the cloud

First, you will need some OATH tokens from the vendor of your choice. You can use any OATH TOTP token with a 30- or 60-second refresh that has a secret key of 128 characters or less. Some vendors include:

Because OATH is a standard, you’re not locked to a single vendor or form factor. Once you purchase the keys from your vendor, they need to send you a file with a secret key, serial number, time interval, manufacturer, and model for each token.


To assign the tokens to users, edit that file to add your user’s user principal names (usually their email address) and then upload it to Azure Portal > Azure Active Directory > MFA Server > OATH tokens. Make sure to use the format described in the docs—the secret is in base 32! Also keep the header row in the file. Then, activate each token and hand them out to your users.


Azure MFA in the cloud.png


Support for multiple devices in Azure MFA


In addition to hardware tokens, we also rolled out support for multiple authenticator devices. Your users can now have up to five devices across the Authenticator app, software OATH tokens, and hardware OATH tokens. This is great to give your users different devices for different environments and to let them have backup devices in case they lose one or forget one at home.


Multiple device support is available today for all users—there’s nothing you need to do to get started!


These are just the start of a lot of changes we’re making to MFA and authentication in Azure as we drive toward a password-less future, so stay tuned here to learn more about the amazing developments as they come.


You can also let us know what you think in the comments below. As always, we’d love to hear any feedback or suggestions you have.


Best regards,

Alex Simons (@Alex_A_Simons )

Corporate VP of Program Management

Microsoft Identity Division


So why is this feature, available only for Azure MFA "in the cloud", configurable via a blade called "MFA server", most of the settings on which "only applies to MFA Server deployment"? :)

Careful with Yubikey 5 , has their App is not yet supported.  Go with another model.


Fido2 keys (with biometrics) support?

Frequent Visitor


Am I getting it right that an OATH token activated user cannot login using sms or mobile app? What is the recommended procedure in case the token is damaged/lost/stolen?

Occasional Visitor

This is definitely a great improvement. Any chance we'll see Universal Two Factor (U2F) supported anytime soon?


Please vote for U2F on UserVoice!


To the comment about the YubiKey 5 not being supported by the Yubico Authenticator App, it should work fine.  I double checked and I was able to set up a YubiKey 5 without any issues.  If you are seeing an issue, let us know.  The best way to contact Yubico is via https://support.yubico.com/support/tickets/new  but you can reach out to me too.  


BTW, we just published our how to guide on implementing YubiKeys with Azure MFA.  Check it out. https://support.yubico.com/support/solutions/articles/15000016486-using-yubikeys-with-azure-mfa


Excited to see Azure MFA support!


David Treece


New Contributor

I hate to be that guy that gets what he has been waiting for but then asks... Is there a way to disable "support for multiple devices"?


New Contributor
Great news! Looking forward to get new features GA soon.
Occasional Visitor


Great news, been waiting for this feature for awhile now, but when i try enabling this and we click on MFA Server it shows we don`t have a Azure Premuim License?  We currently have a A3 License, which includes Azure AD Premium P1 licenses.  


Occasional Visitor

@ Daniel Lowe, I was just in our tenant yesterday and noticed the same thing, which surprised me as we have EMS E5 licenses for all users. I noticed though that I could still click into the different options under MFA Server and configure them. I just checked a demo tenant I have, which includes EMS E3, and it does the same thing, so I think that Overview page for MFA Server is static and always shows the licensing message.

Frequent Visitor

@Kris Cears , @DANIEL LOWE The index page always shows "Get Free Premium", but you should have "OATH Tokens" menu items as shown here:


Hey folks! Thanks for all the great comments. I'll respond to them all here.


Q: "Why is this in the MFA Server blade in the Azure Portal?"

A: Great question--we're continuing to evolve our UX for MFA and credentials management. The next stage isn't ready yet, but when it is, OATH tokens will move to a better aligned, more aptly-named location.


Q: "FIDO2 and FIDO U2F?"

A: Yes, we love FIDO2! At Ignite, we announced private preview for FIDO2 support, and we're shooting for public preview early in 2019. We don't have plans, though, for FIDO U2F--we think going passwordless is much more important than having yet another second factor.


Q: "Once OATH is activated for a  user, can they not sign-in using SMS or mobile app?"

A: Activating OATH doesn't change any credentials already registered for a user! It just sets OATH as their default MFA method. If the user wants to SMS, app, or any other cred, they can click "Sign-in another way" on the MFA screen. They can also change their default at MyApps > Profile > Edit Security Info.


Q: "Is there a way to disable support for multiple devices?"

A: No, it's on for all users. 


Q: "What is the recommended procedure in case the token is damaged/lost/stolen?"

A: An admin can delete the token from the user in the admin interface. The user can also deactivate their token themselves from MyApps > Profile > Edit Security Info.


Q: "Why is the MFA Server blade saying we don`t have an Azure Premium License?"

A: It's a bug--sorry! We have a fix coded and are going to deploy shortly.



Frequent Visitor

@Michael McLaughlin , "Activating OATH doesn't change any credentials already registered for a user! It just sets OATH as their default MFA method"

Editing my comments (maybe something was fixed recently :) ) , I confirm importing MFA does not break SMS/Phone MFA method.

However, it is not setting OATH token as primary MFA method, after activating the token I still had the phone as my primary method (which is fine). Also, the login page asks for "mobile authenticator", although the OTP from the token was accepted with no issues.

On the figure below, what the page asks for is, in fact, a code from my token, not my app 


On the aka.ms/mfasetup page  the name of the profile is made of the token name and its serial number.

On the same page, users can change the default MFA method from phone to token, but again, the there is no "OATH token" in the list, it still says  "app"




It is also important to mention that multiple MFA devices work transparently fine, in addition to the hardware token I managed to add a mobile app profile (Google Authenticator) and it worked just fine, accepting both the hardware token and app-generated OTP without any issues. 



Established Member

Great to get some more information on this. We've been hoping this would be added for a few months now.

Going to get some new OATH tokens to give this a go straight away...

Dear Microsoft-Team,


First of all I am very happy to read that you support OAUTH-Tokens! We have already obtained some and apart from a few flaws (mentioned above, like not describing the OAUTH-Method distinctively, but still showing as Code from Authenticator App) it works very well.


However, there is one thing that bothers our administrators and I hope that you will improve this once the Preview progresses into an official release:


When we receive the OAUTH-Hardwaretoken (e.g. SafeID - Deepnet) we register it on the Azure platform. This could be done for a bulk order of more than 1000 devices with a csv-file. BUT, when we actually want to activate the OAUTH-Token, this has to be done by the Azure administrator as well - manually. He has to enter the generated code from every single hardware token that has been registered before.


On the other hand, with smartphones users can purchase, register and activate the authenticator app on that particular device themselves without the need of an administrator.


My question: Do you think you can create a process, where IT can register OAUTH-hardware tokens (not FIDO, but SafeID - Deepnet) on Azure through CSV files, but let users activate the hardware tokens themselves? I would imagine that during the activation process the azure will check the serialnumber of the token to verify that the token has been registered through an Azure administrator and thus make it trustworthy.


This would be such a relief, since users could even obtain hardware tokens themselves in case of a loss or theft, contact our IT, pass through the serial number, get their hardware token registered and then activate the hardware token themselves.


Thanks for your consideration!



Occasional Visitor

Dear All,


Could any one of update me whether Safenet Mobilepass is supported in Azure cloud MFA. Did any one testing this feature.


Thanks in Advance

Occasional Visitor

I used the following steps to activate my Yubikey 5 with Azure MFA. These steps might help others to generate their base32 secrets.


1. Install oathtool on Ubuntu
apt-get install oathtool


2. Create random hex secret key
head -10 /dev/urandom | md5sum | cut -b 1-30


3. Generate base32 secret with oathtool (grab one of your outputs from above and whack it in here instead)
oathtool --totp --verbose 08c7ee546c81a1648983e9d69e6e51


4. Create yubico oath (Install Yubico Manager and run below exe)
ykman.exe oath add Your@tenancy.microsoft.com
Enter a secret key (base32): BDD64VDMQGQWJCMD5HLJ43SR


5. Upload to Azure MFA and click Activate

Occasional Visitor

Great to see this and test out. To piggyback on Hirmand's question is there a way to do a mass activate of the token either via csv upload or powershell (rather than having to key in the OTP manually for each user)? Thanks!

Another mega-reply on the way!


@Hirmand Ebadi asked about user self-activation. Yes, we're absolutely planning that! It's a key scenario we're planning to build, basically as you described it. @bob slav, no way to do mass activation today, but hopefully the distributed approach helps you when we release it.


@abu shayeed asked about Safenet Mobilepass. It looks like a software OATH solution; we haven't tested it. In their documentation they say it's OATH TOTP compatible, so chances are it's compatible, but I can't say for sure. I'd suggest contacting Gemalto to see if they have guidance. However, if you're interested in a software authenticator, I'd suggest using the Microsoft Authenticator app to do push notification auth, which is a more seamless experience for your users.


@Michael Ranson - thanks for the steps!


@Michael McLaughlin Amazing job! Thank you for the super quick reaction to this matter. This will most definitely make the hardware-token a powerful option!