Hardware OATH tokens in Azure MFA in the cloud are now available

Published 10-23-2018 09:00 AM 167K Views

Howdy folks!

 

I’m excited to announce the public preview of hardware OATH tokens in Azure Multi-Factor Authentication (Azure MFA) in the cloud! We’ve had several phone-based methods available since launching Azure MFA, and we’ve seen incredible adoption. But many of our customers have users who don’t have a phone available when they need to authenticate. Today, MFA is available for those users too!

 

At the same time, we added support for multiple MFA devices. Your users can now have up to five devices in any combination of hardware or software based OATH tokens and the Microsoft Authenticator app. This gives them the ability to have backup devices ready when they need them and to use different types of credentials in different environments.

 

Multiple device support is available for all users with Azure Active Directory (Azure AD) MFA in the cloud. Hardware OATH tokens are available for users with an Azure AD Premium P1 or P2 license.

 

Check out our credential docs and read on to try out hardware OATH tokens in your tenant.

 

Support for OATH tokens for Azure MFA in the cloud

First, you will need some OATH tokens from the vendor of your choice. You can use any OATH TOTP token with a 30- or 60-second refresh that has a secret key of 128 characters or less. Some vendors include:

Because OATH is a standard, you’re not locked to a single vendor or form factor. Once you purchase the keys from your vendor, they need to send you a file with a secret key, serial number, time interval, manufacturer, and model for each token.

 

To assign the tokens to users, edit that file to add your user’s user principal names (usually their email address) and then upload it to Azure Portal > Azure Active Directory > MFA Server > OATH tokens. Make sure to use the format described in the docs—the secret is in base 32! Also keep the header row in the file. Then, activate each token and hand them out to your users.

 

Azure MFA in the cloud.png

 

Support for multiple devices in Azure MFA

 

In addition to hardware tokens, we also rolled out support for multiple authenticator devices. Your users can now have up to five devices across the Authenticator app, software OATH tokens, and hardware OATH tokens. This is great to give your users different devices for different environments and to let them have backup devices in case they lose one or forget one at home.

 

Multiple device support is available today for all users—there’s nothing you need to do to get started!

 

These are just the start of a lot of changes we’re making to MFA and authentication in Azure as we drive toward a password-less future, so stay tuned here to learn more about the amazing developments as they come.

 

You can also let us know what you think in the comments below. As always, we’d love to hear any feedback or suggestions you have.

 

Best regards,

Alex Simons (@Alex_A_Simons )

Corporate VP of Program Management

Microsoft Identity Division

78 Comments
Regular Visitor

As far as I know, Conditional Access requires a premium license (P1 or P2). Thus, you can use any OATH hardware tokens. I believe this article can answer your question and provide information on how to implement hardware tokens while deploying Azure MFA: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted

Occasional Visitor

We have created a number of bulk programmatic approaches to prepare and assign users hardware tokens (200 for now) for TOTP use.  One area we haven't found a solution for is bulk activating the tokens once ingested into the portal - we have programmatic ways to leverage the assigned secret key for each token to generate the TOTP pin for activation, but know of no way to call for the activation itself - is there a solution today that can accomplish this task outside of individually 'clicking' to activate with the a code?

Hi @jjordon - We don't support this capability today, we will consider it for future release. 

Senior Member

Is there way to generate temp token on behalf of user when they call support and provide access ?

Occasional Visitor
Hi! Noob question here but I can't quite understand our MFA options when using PTA instead of ADFS. I read we can, under Conditional Access, use some 3rd party MFA solutions (like Gemalto, Duo, RSA...) but what would be the point, really? Only having the possibility to also use hardware tokens? I don't get it. BTW, we already have P1 or P2 (don't remember which...) Our need is simply : Adding MFA with "phone-as-a-token" and hardware token solutions, combined with CARTA (Continuous Adaptive Risk and Trust Assessment) capabilities. Thanking you in advance.
Regular Visitor

It would be useful if there was an Azure role that could be assigned to a helpdesk user to just allow manipulation of the hardware tokens.

Occasional Contributor

Why isn't this out of preview yet?

Hi Michael -

 

There have been other MFA priorities ahead of this.  Sorry it is taking so long. We are doing our best to get everything in MFA to GA in the next 6 months.

 

Regards,

Alex

Frequent Contributor

whether entrust token supported

Frequent Contributor

 Please let us know whether entrust token supported for azure mfa. if it is supported, can you please share some documents

Senior Member

Hi Alex, can you please give us an update when you expect the hardware OATH token feature to come out of GA? According to your last statement it could be soon. Our usecase is to supply the part of our big workforce that does not have a company phone and does not want to use their private devices with hardware tokens.

Frequent Contributor

all

 

please let us know if entrust Hardware token or soft token supported with Azure mfa

New Contributor

Any update on support for OATH token self-registration for users?  Or even just an API we could call so that we could build our own?  We're trying to migrate from Azure MFA Server and also in the process of migrating from older USB tokens to OATH tokens, and the lack of self-registration or the ability to automate the process is a blocker for us.

Senior Member

Any idea when this will come out of Public Preview?  I am concerned that this has been in Public Preview for nearly 2 years.  It seems like an essential piece to an MFA rollout.

Frequent Visitor

Do you have any new on support for SHA-256?

Occasional Contributor

Thank you, Cool feature which released in 2018, and yet there is no custom RBAC role in Azure AD to deal with Hardware Token management. Why it's tagged to the Global Admin?

This is the response I got from Microsoft Premier Support. It's been 2 Years and the PG is still figuring out on RBAC? I don't think so. 

Any thoughts?

 

At this time, we have received feedback on the requirement of a Directory role to manage MFA configuration on Azure AD. Currently, only the Global Administrator has access to MFA related blades.

Our Product Group is working to have roles for MFA management as an improvement based on customer feedback but unfortunately, we have no ETA on when this will be available on Azure AD. 

We apologize on any inconvenience or confusion this could cause. Please feel free to let me know any questions or concerns on this in which I could help.

 

Microsoft

Hi @Alex Simons (AZURE) - Is there a way for admins to delete the authenticator apps set up by the user, in case if a user has registered for more than five authenticator apps and unable to login to myaccount as it's MFA enabled ?

 

Regards,

Padma

Occasional Contributor

@paparth Does AAD allow to register more than 5 Authenticators for end users when it’s limited by admin?

Microsoft

@Alexey Goncharov - Nope, it doesn't. Upon sixth attempt to set up authenticator app, an error is thrown "You cannot have more than 5 hardware tokens or authenticator apps...."

Occasional Contributor

@paparth I’m trying to get better understanding of your use case scenario when IT admins involvement might be required in the self-service environment, where end-users are managing their 2FAs by themselves?

Microsoft

@Alexey Goncharov - Let's assume the below,

1. Tenant A has MFA enabled for all users and configured the authenticator app as the only second factor (unable to enable other factors like SMS/e-mail due to security reasons)

2. User X from Tenant A had registered the authenticator app five times

3. User X has either lost or changed five devices (device is not in possession)

 

When user X logs into myapps/myaccount, it prompts for second factor. Since the user do not have a way to receive the second factor, user is unable to login. User then calls the admin and admin resets the user's MFA registration status.

 

When the user logs in again, user is prompted to register for second factor (which is mobile app), when user tries to register the authenticator app for the sixth time, user receives an error "You cannot have more than 5 hardware tokens or authenticator apps...."

 

Now the user cannot delete the existing registration since myapps/myaccounts are MFA enabled and there is no way for admin to delete those user registrations.

 

This is a kind of weird scenario, but not uncommon as few customers are experiencing this.

Occasional Contributor

@paparth  Thanks for the detailed response, it’s really weird scenario, I fully agree with you. Perhaps, it might be easier to enable a temporary exception on Conditional Access rules (for instance, via temporary Azure AD group membership) to allow a user X to deactivate unused/unavailable 2FAs and enroll a new one, for example FIDO2 key(s). I strongly believe that self-service capabilities provided by IT folks to end users should prevail in such scenarios, as it’s usually more scalable and reliable solution in the long term. Moreover, it’s more cost effective ;)

Microsoft

@Alexey Goncharov - Thanks. Temporary exception with CA and with MFA enabled still forces the user for MFA. If you disable MFA, the link to update/remove the registered apps in myaccount disappears.

Established Member
New Contributor

I'd also like to know about SHA256 support

Occasional Contributor

Is a hardware token supported in a WVD and or a Citrix VDI scenario?

 

This would be useful in scenario in a call centre environment where users are not allowed to use their mobile device so cannot receive an sms, or use the authenticator app to retrieve their passcode.

Regular Visitor

What about these software solutions:

  1. Authy: Free software, compatible also with Mac. Not open source and it requires a phone number to validate the user. https://authy.com/
  2. Winauthy. Opensource, very easy to use. https://github.com/winauth/winauth
  3. 2 Factor authenticator. Available in the Microsoft store, it can be made available in the company portal. https://www.microsoft.com/en-us/p/2-factor-authenticator/9nblggh5k7jn?activetab=pivot:overviewtab#
  4. Oracle mobile authenticator on Microsoft store, it can be made available in the company portal.
    https://www.microsoft.com/it-it/p/oracle-mobile-authenticator/9nblggh4nsh8?activetab=pivot:overviewt...

At the end you cannot stop users to use them. Winauthy for example it's a portable one.

 

Thanks

Christian

Occasional Contributor

Looking for functional, GEO-Poli, other opinions on Protectimus @ Ukraine products?

https://www.linkedin.com/search/results/people/?currentCompany=%5B%223602018%22%5D&origin=COMPANY_PA...

 

If you have functional experience with either of these products - I would appreciate your commentary.

 

https://www.protectimus.com/flex/

https://www.protectimus.com/protectimus-slim-mini/

 

Thanks in advance,

 

%3CLINGO-SUB%20id%3D%22lingo-sub-394663%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-394663%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F310445%22%20target%3D%22_blank%22%3E%40Helge_Auge%3C%2FA%3E%26nbsp%3B%20Gemalto%20OTP%20110%20and%20DisplayCard%20work%20great%20as%20well%20-%26gt%3B%20%3CA%20href%3D%22https%3A%2F%2Fsafenet.gemalto.com%2Fmulti-factor-authentication%2Fauthenticators%2Fsafenet-otp-display-card%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsafenet.gemalto.com%2Fmulti-factor-authentication%2Fauthenticators%2Fsafenet-otp-display-card%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-390734%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-390734%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F310445%22%20target%3D%22_blank%22%3E%40Helge_Auge%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3Bvendors%20are%20listed%20in%20the%20blog%20post.%3C%2FP%3E%3CP%3EJust%20as%20an%20example%2C%20if%20you%20have%20Azure%20AD%20P1%2FP2%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.token2.com%2Fshop%2Fcategory%2Fclassic-tokens%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.token2.com%2Fshop%2Fcategory%2Fclassic-tokens%3C%2FA%3E%3C%2FP%3E%3CP%3EIf%20you%20dont%26nbsp%3Bhave%20P1%20or%20P2%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.token2.com%2Fshop%2Fcategory%2Fprogrammable-tokens%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.token2.com%2Fshop%2Fcategory%2Fprogrammable-tokens%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-390729%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-390729%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20can%20someone%20tell%20me%2C%20which%20hardware%20oath%20token%20works%20fine%20with%20azure%20mfa.%3C%2FP%3E%3CP%3EI%20need%20a%20solution%20for%20users%20that%26nbsp%3Bdo%20not%20have%20a%26nbsp%3BCompany%20device(%20tablet%20or%20mobile%20device).%3C%2FP%3E%3CP%3EThanks%20for%20your%20help%3C%2FP%3E%3CP%3EHelge%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-390229%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-390229%22%20slang%3D%22en-US%22%3E%3CP%3EAny%20word%20on%20when%20we%20can%20expect%20these%20options%20in%20the%20Government%20cloud%3F%20We%20have%20folks%2C%20because%20we're%20government%2C%20who%20can't%20have%20phones%20in%20secure%20areas.%20Hard%20to%20use%20MFA%20if%20we%20have%20no%20options%20other%20than%20phones!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-377466%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-377466%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20any%20news%3F%20Q2%20is%20behind%20corner...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.slideshare.net%2FFIDOAlliance%2Fmicrosofts-implementation-roadmap-for-fido2%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.slideshare.net%2FFIDOAlliance%2Fmicrosofts-implementation-roadmap-for-fido2%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-332341%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-332341%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20can%20OATH%20tokens%20be%20used%20as%20the%20primary%20authentication%20method%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-331321%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-331321%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20any%20update%20on%20availability%20of%20mass%20activation%3F%20We%20are%20looking%20to%20move%20from%20our%20current%20environment%20(using%20TOTP%20tokens%20via%20Google%20Authenticator)%20to%20using%20Microsoft%20Azure%2C%20and%20have%2038K%2B%20OATH%20tokens%20to%20load%20up.%20While%20I%20can%20very%20easily%20create%20the%20CSV%20to%20upload%20them%2C%20there%20is%20no%20way%20I%20can%20go%20through%20that%20many%20and%20activate%20them%20all%20individually.%20A%20mass%20activate%20would%20be%20extremely%20useful%20(and%20in%20our%20case%2C%20necessary).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-330690%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-330690%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eis%20there%20any%20news%20about%20MFA%20and%20FIDO2%20support%3F%20Is%20there%20any%20demo%20or%20presentation%20which%20tells%20what%20we%20can%20expect%20from%20FIDO2%20and%20how%20it%20works%20with%20Azure%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-311161%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-311161%22%20slang%3D%22en-US%22%3E%3CP%3EHey%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F261988%22%20target%3D%22_blank%22%3E%40DNoel%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3EThis%20isn't%20a%20scenario%20we%20support%20or%20can%20really%20advise%20you%20on%2C%20though%20I%20can%20broadly%20say%20such%20automation%20should%20%3CSTRONG%3Enever%3C%2FSTRONG%3E%20be%20used%20for%20real%20accounts%3A%20you'd%20be%20putting%20the%20account's%20password%20and%20second-factor%20secret%20out%20of%20the%20hands%20of%20the%20rightful%20user%2C%20so%20there's%20a%20lot%20of%20risk%20involved.%20Even%20doing%20so%20with%20accounts%20not%20tied%20to%20a%20specific%20user%20or%20without%20much%20privilege%20puts%20your%20whole%20tenant%20at%20risk%3A%20bad%20guys%20generally%20know%20they%20don't%20need%26nbsp%3Bspecific%20or%20privileged%20accounts%20to%20get%20in%3B%20rather%2C%20%3CEM%3Eany%26nbsp%3B%3C%2FEM%3Eaccount%20is%20a%20good%20foothold.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThat%20said%2C%20Azure%20MFA%20does%20support%20the%20OATH%20TOTP%20standard%2C%20so%20any%20compliant%20software%20OATH%20code%20generator%20should%20work%20with%20the%20service.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-310403%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-310403%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20looking%20for%20a%20way%20to%20automate%20MFA%20authorization%20in%20code%20for%20automated%20testing%20that%20needs%20to%20login%20and%20verify%20that%20MFA%20is%20turned%20on%20and%20is%20working%20without%20human%20intervention.%20Do%20you%20have%20guidelines%20or%20information%20on%20setting%20this%20up%3F%20Currently%20I'm%20looking%20at%20open%20source%20libraries%20to%20make%20this%20happen%20and%20I'm%20curious%20about%20the%20feasibility.%20Our%20automation%20is%20written%20in%20Java%20so%20I%20was%20looking%20at%20the%20following%20as%20a%20possible%20solution%20to%20the%20problem%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Faerogear%2Faerogear-otp-java%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Faerogear%2Faerogear-otp-java%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-296665%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-296665%22%20slang%3D%22en-US%22%3E%3CP%3EHey%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20is%20the%20ETA%20to%20have%20this%20available%20in%20Azure%20Gov%20clouds%20(GCC%20High)%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-291242%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-291242%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F44438%22%20target%3D%22_blank%22%3E%40Phillip%20Lyle%3C%2FA%3E%2C%20if%20you%20have%20any%20followups%20from%20your%20testing%2C%20DM%20me.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-291241%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-291241%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20able%20to%20fix%20this%20by%20removing%20my%20authenticator%20app%20and%20re-adding.%26nbsp%3B%20It%20then%20worked%20as%20expected%20(both%20codes%20supported%20from%20the%20same%20option).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20co-worker%20did%20not%20run%20into%20the%20same%20issue.%26nbsp%3B%20My%20authenticator%20app%20was%20working%20properly%20before%2C%20but%20I%20tried%20multiple%26nbsp%3Bseparate%20MFA%20attempts%20after%20adding%20the%20hardware%20token%20and%20the%20verification%20code%20was%20rejected%20each%20time.%26nbsp%3B%20We'll%20keep%20testing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-291235%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-291235%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F44438%22%20target%3D%22_blank%22%3E%40Phillip%20Lyle%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3BMy%20default%20is%20text%20for%20the%20time%20being%2C%20in%20addition%20I%20see%20phone%20call%20%2C%26nbsp%3Band%20%22Verification%20code%20from%20app%22%20which%20is%20accepting%203%20different%20OTPs%2C%20one%20from%20the%20app%2C%20second%20from%20my%20programmable%20token%20and%20third%20is%20my%20OATH%20TOTP%20token.%3C%2FP%3E%3CP%3EThis%20is%20my%20test%20tenant.%3C%2FP%3E%3CP%3EMy%20production%20tenant%20also%20accepts%20more%20than%20one%20OTP%20in%20the%20%22Verification%20code%22%20field%20as%20I%20have%20enrolled%202%20different%20apps%20(%20in%20fact%20an%20app%26nbsp%3Band%20a%20programmable%20token)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-291233%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-291233%22%20slang%3D%22en-US%22%3E%3CP%3EI%20should%26nbsp%3B%20note%20that%20I%20am%20in%20the%20preview%20experience.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F232900%22%20target%3D%22_blank%22%3E%40Emin%20Huseynov%3C%2FA%3E.%26nbsp%3B%20%26nbsp%3BAre%20you%20saying%20that%20you%20can%20pick%20the%20%22Use%20the%20verification%20code%20from%20the%20mobile%20app%22%20option%20and%20use%20either%20the%20hardware%20token%20or%20authenticator%20code%2C%20from%20the%20single%20option%3F%26nbsp%3B%20Or%2C%20are%20you%20seeing%20two%20options%3F%26nbsp%3B%20%26nbsp%3BIn%20your%20original%20post%2C%20you%20note%20that%20there%20is%20no%20hardware%20token%20option%20displayed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F160477%22%20target%3D%22_blank%22%3E%40Michael%20McLaughlin%3C%2FA%3E%26nbsp%3B%20Thanks%2C%20I%20sent%20you%20a%20DM.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-291227%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-291227%22%20slang%3D%22en-US%22%3E%3CP%3EHey%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F44438%22%20target%3D%22_blank%22%3E%40Phillip%20Lyle%3C%2FA%3E%2C%20that%20shouldn't%20be%20the%20case.%20Could%20you%20send%20me%20a%20direct%20message%20with%20some%20more%20information%20about%20what%20you're%20experiencing%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-291218%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-291218%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F44438%22%20target%3D%22_blank%22%3E%40Phillip%20Lyle%3C%2FA%3E%26nbsp%3B%2C%20my%20experience%20is%20different.%20you%20can%20add%20the%20token%20and%20OTPs%20from%20both%20are%20accepted%20just%20fine.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-291208%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-291208%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20noticed%20that%20you%20can't%20use%20the%20verification%20code%20from%20the%20Authenticator%20app%20and%20a%20hardware%20token%20simultaneously.%26nbsp%3B%20The%20hardware%20token%20replaces%20the%20%22Use%20a%20verification%20code%20from%20the%20app%22%20prompt%20during%20MFA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWill%20you%20be%20fixing%20this%20so%20that%20the%20hardware%20token%20is%20accurately%20represented%2C%20and%20the%20app%20code%20and%20hardware%20code%20can%20be%20used%20concurrently%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-288100%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-288100%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F160477%22%20target%3D%22_blank%22%3E%40Michael%20McLaughlin%3C%2FA%3E%26nbsp%3BAmazing%20job!%20Thank%20you%20for%20the%26nbsp%3Bsuper%20quick%20reaction%20to%20this%20matter.%20This%20will%20most%20definitely%20make%20the%20hardware-token%20a%20powerful%20option!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-288025%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-288025%22%20slang%3D%22en-US%22%3E%3CP%3EAnother%20mega-reply%20on%20the%20way!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F234619%22%20target%3D%22_blank%22%3E%40Hirmand%20Ebadi%3C%2FA%3E%20asked%20about%20user%20self-activation.%20Yes%2C%20we're%20absolutely%20planning%20that!%20It's%20a%20key%20scenario%20we're%20planning%20to%20build%2C%20basically%20as%20you%20described%20it.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F242951%22%20target%3D%22_blank%22%3E%40bob%20slav%3C%2FA%3E%2C%20no%20way%20to%20do%20mass%20activation%20today%2C%20but%20hopefully%26nbsp%3Bthe%20distributed%20approach%20helps%20you%20when%20we%20release%20it.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F235132%22%20target%3D%22_blank%22%3E%40abu%20shayeed%3C%2FA%3E%20asked%20about%20Safenet%20Mobilepass.%20It%20looks%20like%20a%20software%20OATH%20solution%3B%20we%20haven't%20tested%20it.%20In%20their%20documentation%20they%26nbsp%3Bsay%20it's%20OATH%20TOTP%20compatible%2C%20so%26nbsp%3Bchances%20are%20it's%20compatible%2C%20but%20I%20can't%20say%20for%20sure.%20I'd%20suggest%20contacting%20Gemalto%20to%20see%20if%20they%20have%20guidance.%26nbsp%3BHowever%2C%20if%20you're%20interested%20in%20a%20software%20authenticator%2C%20I'd%20suggest%20using%20the%20Microsoft%20Authenticator%20app%20to%20do%20push%20notification%20auth%2C%20which%20is%20a%20more%20seamless%20experience%20for%20your%20users.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F234516%22%20target%3D%22_blank%22%3E%40Michael%20Ranson%3C%2FA%3E%20-%20thanks%20for%20the%20steps!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-287535%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-287535%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20to%20see%20this%20and%20test%20out.%20To%20piggyback%20on%20Hirmand's%20question%20is%20there%20a%20way%20to%20do%20a%20mass%20activate%20of%20the%20token%20either%20via%20csv%20upload%20or%20powershell%20(rather%20than%20having%20to%20key%20in%20the%20OTP%20manually%20for%20each%20user)%3F%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-279061%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-279061%22%20slang%3D%22en-US%22%3E%3CP%3EI%20used%20the%20following%20steps%20to%20activate%20my%20Yubikey%205%26nbsp%3Bwith%26nbsp%3BAzure%20MFA.%20These%20steps%20might%20help%20others%20to%20generate%20their%20base32%20secrets.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Install%20oathtool%20on%20Ubuntu%3CBR%20%2F%3Eapt-get%20install%20oathtool%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20Create%20random%20hex%20secret%20key%3CBR%20%2F%3Ehead%20-10%20%2Fdev%2Furandom%20%7C%20md5sum%20%7C%20cut%20-b%201-30%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3.%20Generate%20base32%20secret%20with%20oathtool%20(grab%20one%20of%20your%20outputs%20from%20above%20and%20whack%20it%20in%20here%20instead)%3CBR%20%2F%3Eoathtool%20--totp%20--verbose%2008c7ee546c81a1648983e9d69e6e51%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E4.%20Create%20yubico%20oath%20(Install%20Yubico%20Manager%20and%20run%20below%20exe)%3CBR%20%2F%3Eykman.exe%20oath%20add%20Your%40tenancy.microsoft.com%3CBR%20%2F%3EEnter%20a%20secret%20key%20(base32)%3A%20BDD64VDMQGQWJCMD5HLJ43SR%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E5.%20Upload%20to%20Azure%20MFA%20and%20click%20Activate%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-278828%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-278828%22%20slang%3D%22en-US%22%3E%3CP%3EDear%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20any%20one%20of%20update%20me%20whether%20Safenet%20Mobilepass%20is%20supported%20in%20Azure%20cloud%20MFA.%20Did%20any%20one%20testing%20this%20feature.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20Advance%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-278365%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-278365%22%20slang%3D%22en-US%22%3E%3CP%3EDear%20Microsoft-Team%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFirst%20of%20all%20I%20am%20very%20happy%20to%20read%20that%20you%20support%20OAUTH-Tokens!%20We%20have%20already%20obtained%20some%20and%20apart%20from%20a%20few%20flaws%20(mentioned%20above%2C%20like%20not%20describing%20the%20OAUTH-Method%20distinctively%2C%20but%20still%20showing%20as%20Code%20from%20Authenticator%20App)%20it%20works%20very%20well.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20there%20is%20one%20thing%20that%20bothers%20our%20administrators%20and%20I%20hope%20that%20you%20will%20improve%20this%20once%20the%20Preview%20progresses%20into%20an%20official%20release%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20we%20receive%20the%20OAUTH-Hardwaretoken%20(e.g.%20SafeID%20-%20Deepnet)%20we%20register%20it%20on%20the%20Azure%20platform.%20This%20could%20be%20done%20for%20a%20bulk%20order%20of%20more%20than%201000%20devices%20with%20a%20csv-file.%20BUT%2C%20when%20we%20actually%20want%20to%20activate%20the%20OAUTH-Token%2C%20this%20has%20to%20be%20done%20by%20the%20Azure%20administrator%20as%20well%20-%20manually.%20He%20has%20to%20enter%20the%20generated%20code%20from%20every%20single%20hardware%20token%20that%20has%20been%20registered%20before.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20the%20other%20hand%2C%20with%20smartphones%20users%20can%20purchase%2C%20register%20and%20activate%20the%20authenticator%20app%20on%20that%20particular%20device%20themselves%20without%20the%20need%20of%20an%20administrator.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EMy%20question%3A%3C%2FSTRONG%3E%20Do%20you%20think%20you%20can%20create%20a%20process%2C%20where%20IT%20can%20register%20OAUTH-hardware%20tokens%20(not%20FIDO%2C%20but%20SafeID%20-%20Deepnet)%20on%20Azure%20through%20CSV%20files%2C%20but%20let%20users%20activate%20the%20hardware%20tokens%20themselves%3F%20I%20would%20imagine%20that%20during%20the%20activation%20process%20the%20azure%20will%20check%20the%20serialnumber%20of%20the%20token%20to%20verify%20that%20the%20token%20has%20been%20registered%20through%20an%20Azure%20administrator%20and%20thus%20make%20it%20trustworthy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20would%20be%20such%20a%20relief%2C%20since%20users%20could%20even%20obtain%20hardware%20tokens%20themselves%20in%20case%20of%20a%20loss%20or%20theft%2C%20contact%20our%20IT%2C%20pass%20through%20the%20serial%20number%2C%20get%20their%20hardware%20token%20registered%20and%20then%20activate%20the%20hardware%20token%20themselves.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20consideration!%3C%2FP%3E%3CP%3ECheers%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277959%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277959%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20to%20get%20some%20more%20information%20on%20this.%20We've%20been%20hoping%20this%20would%20be%20added%20for%20a%20few%20months%20now.%3C%2FP%3E%3CP%3EGoing%20to%20get%20some%20new%20OATH%20tokens%20to%20give%20this%20a%20go%20straight%20away...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277561%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277561%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F160477%22%20target%3D%22_blank%22%3E%40Michael%20McLaughlin%3C%2FA%3E%26nbsp%3B%2C%20%22%3CSPAN%3EActivating%20OATH%20doesn't%20change%20any%20credentials%20already%20registered%20for%20a%20user!%20It%20just%20sets%20OATH%20as%20their%20default%20MFA%20method%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EEditing%20my%20comments%20(maybe%20something%20was%20fixed%20recently%20%3A)%3C%2Fimg%3E%20)%20%2C%20I%20confirm%20importing%20MFA%20%3CSTRONG%3Edoes%20not%20break%20SMS%2FPhone%20MFA%20method.%20%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EHowever%2C%20it%3CSTRONG%3E%20is%20not%20setting%20OATH%20token%20as%20primary%20MFA%20method%3C%2FSTRONG%3E%2C%20after%20activating%20the%20token%20I%20still%20had%20the%20phone%20as%20my%20primary%20method%20(which%20is%20fine).%20Also%2C%20the%20login%20page%26nbsp%3Basks%20for%20%22mobile%20authenticator%22%2C%20although%20the%20OTP%20from%20the%20token%20was%20accepted%20with%20no%20issues.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EOn%20the%20figure%20below%2C%20what%20the%20page%20asks%20for%20is%2C%20in%20fact%2C%20a%20code%20from%20my%20token%2C%20not%20my%20app%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20475px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F58184i400929A225807B5C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22image.png%22%20title%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EOn%20the%20aka.ms%2Fmfasetup%20page%26nbsp%3B%20the%20name%20of%20the%20profile%20is%20made%20of%20the%20token%20name%20and%20its%20serial%20number.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EOn%20the%20same%20page%2C%20users%20can%20change%20the%20default%20MFA%20method%20from%20phone%20to%20token%2C%20but%20again%2C%20the%20there%20is%20no%20%22OATH%20token%22%20in%20the%20list%2C%20it%20still%20says%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%22app%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20730px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F58183i20FDBF1D2EBFFC46%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22image.png%22%20title%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIt%20is%20also%20important%20to%20mention%20that%20multiple%20MFA%20devices%20work%20transparently%20fine%2C%20in%20addition%20to%20the%20hardware%20token%20I%20managed%20to%20add%20a%20mobile%20app%20profile%20(Google%20Authenticator)%20and%20it%20worked%20just%20fine%2C%20accepting%20both%20the%20hardware%20token%20and%20app-generated%26nbsp%3BOTP%20without%20any%20issues.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20742px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F58186iC67C4C6BF0312B66%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22image.png%22%20title%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277540%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277540%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20folks!%20Thanks%20for%20all%20the%20great%20comments.%20I'll%20respond%20to%20them%20all%20here.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EQ%3A%20%22Why%20is%20this%20in%20the%20MFA%20Server%20blade%20in%20the%20Azure%20Portal%3F%22%3C%2FP%3E%0A%3CP%3EA%3A%20Great%20question--we're%20continuing%20to%20evolve%26nbsp%3Bour%20UX%20for%20MFA%20and%20credentials%20management.%26nbsp%3BThe%20next%20stage%20isn't%20ready%20yet%2C%20but%20when%20it%20is%2C%20OATH%20tokens%20will%20move%20to%20a%20better%20aligned%2C%20more%20aptly-named%20location.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EQ%3A%20%22FIDO2%20and%20FIDO%20U2F%3F%22%3C%2FP%3E%0A%3CP%3EA%3A%20Yes%2C%20we%20love%20FIDO2!%26nbsp%3BAt%20Ignite%2C%20we%20announced%20private%20preview%20for%20FIDO2%20support%2C%20and%20we're%20shooting%20for%20public%20preview%20early%20in%202019.%20We%20don't%20have%20plans%2C%20though%2C%20for%20FIDO%20U2F--we%20think%20going%20passwordless%20is%20much%20more%20important%20than%20having%26nbsp%3Byet%20another%20second%20factor.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EQ%3A%20%22Once%20OATH%20is%20activated%20for%20a%26nbsp%3B%20user%2C%20can%20they%20not%20sign-in%20using%20SMS%20or%20mobile%20app%3F%22%3C%2FP%3E%0A%3CP%3EA%3A%20Activating%20OATH%20doesn't%20change%20any%20credentials%20already%20registered%20for%20a%20user!%20It%20just%20sets%20OATH%20as%20their%20default%20MFA%20method.%20If%20the%20user%20wants%20to%26nbsp%3BSMS%2C%20app%2C%20or%20any%20other%20cred%2C%20they%20can%20click%20%22Sign-in%20another%20way%22%20on%20the%20MFA%20screen.%20They%20can%20also%20change%20their%20default%20at%26nbsp%3BMyApps%20%26gt%3B%20Profile%20%26gt%3B%20Edit%20Security%20Info.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EQ%3A%20%22Is%20there%20a%20way%20to%20disable%20support%20for%20multiple%20devices%3F%22%3C%2FP%3E%0A%3CP%3EA%3A%20No%2C%26nbsp%3Bit's%20on%20for%20all%20users.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EQ%3A%20%22What%20is%20the%20recommended%20procedure%20in%20case%20the%20token%20is%20damaged%2Flost%2Fstolen%3F%22%3C%2FP%3E%0A%3CP%3EA%3A%20An%20admin%20can%20delete%20the%20token%20from%20the%20user%20in%20the%20admin%20interface.%26nbsp%3BThe%20user%20can%20also%20deactivate%20their%20token%20themselves%20from%20MyApps%20%26gt%3B%20Profile%20%26gt%3B%20Edit%20Security%20Info.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EQ%3A%20%22Why%20is%20the%20MFA%20Server%20blade%20saying%20we%20don%60t%20have%20an%20Azure%20Premium%20License%3F%22%3C%2FP%3E%0A%3CP%3EA%3A%20It's%20a%20bug--sorry!%20We%20have%20a%20fix%20coded%20and%20are%20going%20to%20deploy%20shortly.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277487%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277487%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F233339%22%20target%3D%22_blank%22%3E%40Kris%20Cears%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F233280%22%20target%3D%22_blank%22%3E%40DANIEL%20LOWE%3C%2FA%3E%26nbsp%3BThe%20index%20page%20always%20shows%20%22Get%20Free%20Premium%22%2C%20but%20you%20should%20have%20%22OATH%20Tokens%22%20menu%20items%20as%20shown%20here%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20758px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F58153iA45A60EE519EB61C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22image.png%22%20title%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277481%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277481%22%20slang%3D%22en-US%22%3E%3CP%3E%40%20Daniel%20Lowe%2C%20I%20was%20just%20in%20our%20tenant%20yesterday%20and%20noticed%20the%20same%20thing%2C%20which%20surprised%20me%20as%20we%20have%20EMS%20E5%20licenses%20for%20all%20users.%20I%20noticed%20though%20that%20I%20could%20still%20click%20into%20the%20different%20options%20under%20MFA%20Server%20and%20configure%20them.%20I%20just%20checked%20a%20demo%20tenant%20I%20have%2C%20which%20includes%20EMS%20E3%2C%20and%20it%20does%20the%20same%20thing%2C%20so%20I%20think%20that%20Overview%20page%20for%20MFA%20Server%20is%20static%20and%20always%20shows%20the%20licensing%20message.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277417%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277417%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EGreat%20news%2C%20been%20waiting%20for%20this%20feature%20for%20awhile%20now%2C%20but%20when%20i%20try%20enabling%20this%20and%20we%20click%20on%20MFA%20Server%20it%20shows%20we%20don%60t%20have%20a%20Azure%20Premuim%20License%3F%26nbsp%3B%20We%20currently%20have%20a%20A3%20License%2C%20which%20includes%20Azure%20AD%20Premium%20P1%20licenses.%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277238%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277238%22%20slang%3D%22en-US%22%3EGreat%20news!%20Looking%20forward%20to%20get%20new%20features%20GA%20soon.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277211%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277211%22%20slang%3D%22en-US%22%3E%3CP%3EI%20hate%20to%20be%20that%20guy%20that%20gets%20what%20he%20has%20been%20waiting%20for%20but%20then%20asks...%20Is%20there%20a%20way%20to%20disable%20%22support%20for%20multiple%20devices%22%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277205%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277205%22%20slang%3D%22en-US%22%3E%3CP%3ETo%20the%20comment%20about%20the%20YubiKey%205%20not%20being%20supported%20by%20the%20Yubico%20Authenticator%20App%2C%20it%20should%20work%20fine.%26nbsp%3B%20I%20double%20checked%20and%20I%20was%20able%20to%20set%20up%20a%20YubiKey%205%20without%20any%20issues.%26nbsp%3B%20If%20you%20are%20seeing%20an%20issue%2C%20let%20us%20know.%26nbsp%3B%20The%20best%20way%20to%20contact%20Yubico%20is%20via%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.yubico.com%2Fsupport%2Ftickets%2Fnew%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.yubico.com%2Fsupport%2Ftickets%2Fnew%26nbsp%3B%3C%2FA%3E%20but%20you%20can%20reach%20out%20to%20me%20too.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBTW%2C%20we%20just%20published%20our%20how%20to%20guide%20on%20implementing%20YubiKeys%20with%20Azure%20MFA.%26nbsp%3B%20Check%20it%20out.%20%3CA%20href%3D%22https%3A%2F%2Fsupport.yubico.com%2Fsupport%2Fsolutions%2Farticles%2F15000016486-using-yubikeys-with-azure-mfa%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.yubico.com%2Fsupport%2Fsolutions%2Farticles%2F15000016486-using-yubikeys-with-azure-mfa%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EExcited%20to%20see%20Azure%20MFA%20support!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDavid%20Treece%3C%2FP%3E%3CP%3EYubico%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277192%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277192%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20definitely%20a%20great%20improvement.%20Any%20chance%20we'll%20see%20Universal%20Two%20Factor%20(U2F)%20supported%20anytime%20soon%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Foffice365.uservoice.com%2Fforums%2F264636-general%2Fsuggestions%2F8703772-fido-u2f%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EPlease%20vote%20for%20U2F%20on%20UserVoice!%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277149%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277149%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EAm%20I%20getting%20it%20right%20that%20an%20OATH%20token%20activated%20user%20cannot%20login%20using%20sms%20or%20mobile%20app%3F%20What%20is%20the%20recommended%20procedure%20in%20case%20the%20token%20is%20damaged%2Flost%2Fstolen%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277048%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277048%22%20slang%3D%22en-US%22%3E%3CP%3EFido2%20keys%20(with%20biometrics)%20support%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277033%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277033%22%20slang%3D%22en-US%22%3E%3CP%3ECareful%20with%20Yubikey%205%20%2C%20has%20their%20App%20is%20not%20yet%20supported.%26nbsp%3B%20Go%20with%20another%20model.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277010%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277010%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20why%20is%20this%20feature%2C%20available%20only%20for%20Azure%20MFA%20%22in%20the%20cloud%22%2C%20configurable%20via%20a%20blade%20called%20%22MFA%20server%22%2C%20most%20of%20the%20settings%20on%20which%20%22%3CSPAN%20style%3D%22text-align%3A%20left%3B%20color%3A%20rgb(0%2C%200%2C%200)%3B%20text-transform%3A%20none%3B%20text-indent%3A%200px%3B%20letter-spacing%3A%20normal%3B%20font-family%3A%20az_ea_font%2C%26quot%3BSegoe%20UI%26quot%3B%2Cwf_segoe-ui_normal%2C%26quot%3BSegoe%20WP%26quot%3B%2CTahoma%2CArial%2Csans-serif%3B%20font-size%3A%2012px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20text-decoration%3A%20none%3B%20word-spacing%3A%200px%3B%20float%3A%20none%3B%20display%3A%20inline%20!important%3B%20white-space%3A%20normal%3B%20orphans%3A%202%3B%20background-color%3A%20transparent%3B%20-webkit-text-stroke-width%3A%200px%3B%22%3Eonly%20applies%20to%20MFA%20Server%20deployment%3C%2FSPAN%3E%22%3F%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-433351%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-433351%22%20slang%3D%22en-US%22%3E%3CP%3EIt's%20my%20understanding%20that%26nbsp%3BOAuth%20with%20TOTP%20has%20no%20means%20of%20verifying%20the%20actual%20URL%20of%20the%20page%20displaying%20the%20request%20for%20the%20MFA%20code%2C%20so%20attackers%20are%20now%20just%20making%20fraudulent%20fake%20MFA%20request%20webpages%20and%20phishing%20the%20TOTP%20codes%2C%20much%20like%20they've%20been%20doing%20for%20passwords%20for%20decades.%26nbsp%3B%20Meaning%20that%20OAuth%20will%20only%20protect%20us%20from%20incompetent%20attackers%20and%20persistent%20recurring%20login%20breaches%20(since%20attackers%20would%20need%20to%20Phish%20the%20TOTP%20code%20each%20time%20they%20logged%20in...)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20that%20vulnerability%20to%20Phishing%20accurate%3F%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3BOr%20is%20there%20Phishing%20protection%20in%20OAuth%20like%20U2F%20and%20FIDO2%20have%3F%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-434408%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-434408%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318931%22%20target%3D%22_blank%22%3E%40Torsion-Limit%3C%2FA%3E%26nbsp%3B%20%2C%26nbsp%3Bthere%20is%20nothing%20that%20can%20fully%20protect%20all%20users%2C%20and%20overall%26nbsp%3Bthese%20techniques%20are%20still%20a%20balance%20between%20security%20and%20user%20experience%3C%2FP%3E%3CP%3EAssuming%20the%20first%20factor%20is%20compromised%3A%3C%2FP%3E%3CP%3E-%20TOTP%20phishing%20is%20theoretically%20possible%20mainly%20in%20a%20%22manual%22%20mode.%20Meaning%20that%20the%20victim%20should%20be%20targeted%20and%20the%20attack%20itself%20can%20be%20performed%20in%20real-time.%26nbsp%3B%3C%2FP%3E%3CP%3E-%20If%20we%20are%20talking%20about%20such%20targeted%20attacks%2C%26nbsp%3B%20U2F%20is%20also%20not%20100%25%20secure%20-%20the%20attacker%20would%20only%20need%20physical%20access%20to%20the%20U2F%20key%20for%20a%20short%20time%20%3A%20the%20attacker%20will%26nbsp%3B%20need%20to%20log%20in%2C%20enrol%20another%20key%20and%20put%20the%20original%20key%20back.%20Stealing%20a%20U2F%20key%20is%20harder%20that%20TOTP%20phishing%2C%20but%20this%20would%20give%20permanent%20access%20(whereas%20with%20TOTP%20they%20%22%3CSPAN%3Eneed%20to%20Phish%20the%20TOTP%20code%20each%20time%20they%20logged%20in%22)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThere%20are%20other%20(less%20common)%20aspects%20of%20U2F%20security%20to%20be%20aware%20of%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.wired.com%2Fstory%2Fchrome-yubikey-phishing-webusb%2F%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fwww.wired.com%2Fstory%2Fchrome-yubikey-phishing-webusb%2F%26nbsp%3B%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E-%20FIDO2%20with%20biometrics%20is%20more%20secure%20and%20phish-proof%20(and%20Microsoft%20is%20moving%20that%20direction)%2C%20but%20it%20has%20its%20own%20downsides.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EMain%20being%20having%20to%20plug%20something%20to%20your%20USB%20port%20(which%20is%20disabled%20btw%20in%20many%20organizations)%2C%20and%20this%20is%20something%20many%20users%20would%20like%20to%20avoid.%20It%20has%20its%20own%20risks%20as%20well%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.secsign.com%2Fusb-authentication-keys-tokens-bad-idea%2F%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fwww.secsign.com%2Fusb-authentication-keys-tokens-bad-idea%2F%26nbsp%3B%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-541181%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-541181%22%20slang%3D%22en-US%22%3E%3CP%3EIt's%20my%20understanding%20that%20this%20only%20supports%20the%20old%20(proven%20to%20be%20insecure)%20sha-1%20for%20hardware%20tokens.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewhen%20are%20we%20going%20to%20get%20sha-256%20support%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-541373%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-541373%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CP%3E%3CSPAN%3Ethe%20old%20(proven%20to%20be%20insecure)%20sha-1%20for%20hardware%20tokens.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F336887%22%20target%3D%22_blank%22%3E%40blob63%3C%2FA%3E%26nbsp%3B%2C%20with%20TOTP%20SHA-1%20is%20used%20only%20for%20generating%20a%20secret%20key%20and%20is%20not%20really%20a%20pure%20SHA-1%2C%20it%20is%20HMAC-SHA1.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EHere%20is%20a%20quote%20from%20another%20discussion%20of%20this%20topic%3A%3C%2FSPAN%3E%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3E%3CSPAN%3E1)%20the%20TOTP%20algorithm%20SHA-hashes%20a%20constantly-changing%20%E2%80%9Cdocument%E2%80%9D%2C%20composed%20of%20a%20per-user%20secret%20key%20and%20the%20current%20timestamp%20(pegged%20to%2030-second%20time%20steps)%2C%20and%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E2)%20the%206-digit%20nonce%20that%E2%80%99s%20generated%20is%20checked%20at%20the%20server%20side%2C%20which%20can%20do%20simple%20rate-limiting%20(e.g.%20get%20it%20wrong%20twice%2C%20and%20you%20have%20to%20wait%20till%20the%20next%2030-second%20period%E2%80%A6which%20requires%20a%20new%20nonce)%26nbsp%3B%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3EA%20bit%20off-topic%2C%20but%20when%20it%20comes%20to%20one-time%20password%2C%20even%20%3CA%20href%3D%22http%3A%2F%2Fmotp.sourceforge.net%2Fmd5.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EMD5%3C%2FA%3E%20is%20secure%20enough.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-652566%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-652566%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20some%20time%20has%20passed%20since%20last%20autumn.%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F160477%22%20target%3D%22_blank%22%3E%40Michael%20McLaughlin%3C%2FA%3E%20is%20there%20an%20news%20on%20the%20user%20self%20enrollment%20for%20OATH%20tokens%3F%3C%2FP%3E%3CP%3EI%20really%20like%20the%20idea%20to%20utilizing%20tokens%20in%20AAD%20MFA%2C%20rather%20than%20going%20for%20an%20alternate%20MFA%20provider%20in%20Azure.%26nbsp%3B%20But%20the%20admin%20experience%20right%20now%20ist%20not%20handy%20for%20a%2065000%20user%20tenant%20%E2%80%A6.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-686718%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-686718%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EDeepnet%20Security%20has%20now%20created%20a%20new%20web%20page%20dedicated%20to%20hardware%20tokens%20for%20Azure%20MFA%20and%20Office%20365%2C%20and%20provides%20information%20of%20how%20to%20use%20SafeID%20tokens%20with%20Azure%20MFA%20(see%20following%20link)%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22http%3A%2F%2Fwww.deepnetsecurity.com%2Fauthenticators%2Fone-time-password%2Fsafeid%2Fhardware-mfa-tokens-office-365-azure-multi-factor-authentication%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttp%3A%2F%2Fwww.deepnetsecurity.com%2Fauthenticators%2Fone-time-password%2Fsafeid%2Fhardware-mfa-tokens-office-365-azure-multi-factor-authentication%2F%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-725538%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-725538%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20updates%20on%20when%20this%20will%20be%20GA%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-789456%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-789456%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20have%20an%20update%20on%20when%20user%20self-activation%2Fregistration%20will%20be%20available%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-376763%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-376763%22%20slang%3D%22en-US%22%3E%3CP%3EDeepnet's%20SafeID%20hardware%20can%20be%20used%20to%20provide%20Azure%20Multi-Factor%20authentication%20on%20cloud%20and%20On-Premises%20Servers%20(see%20link%20below)%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fwww.deepnetsecurity.com%2Fauthenticators%2Fone-time-password%2Fsafeid%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.deepnetsecurity.com%2Fauthenticators%2Fone-time-password%2Fsafeid%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-853799%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-853799%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20seems%20that%20when%20you%20use%20the%20Yubikey%20token%2C%20app%20passwords%20are%20no%20longer%20available...%20is%20this%20a%20bug%20or%20%22works%20as%20designed%3F%22%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-891345%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-891345%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESomeone%20may%20find%20useful%20this%20comprehensive%20article%20on%20how%20to%20use%20OATH%20hardware%20tokens%20with%20Azure%20MFA%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fwww.protectimus.com%2Fblog%2Fhardware-token-azure-mfa%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.protectimus.com%2Fblog%2Fhardware-token-azure-mfa%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-917475%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-917475%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Everybody%3C%2FP%3E%3CP%3EWe%20are%20looking%20at%20implementing%20a%20hardware%20token%20device%20for%20use%20with%20MFA%20and%20Conditional%20Access.%20I%20see%20no%20mention%20of%20Conditional%20Access%20in%20any%20of%20these%20posts.%20So%20are%20these%20devices%20only%20compatible%20with%20the%20traditional%20MFA%20solution%20within%20Azure%2C%20or%20are%20they%20also%20compatible%20with%20Conditional%20Access%20MFA.%20Thanks%20for%20any%20advice%20given.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-917588%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-917588%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20far%20as%20I%20know%2C%20Conditional%20Access%20requires%20a%20premium%20license%20(P1%20or%20P2).%20Thus%2C%20you%20can%20use%20any%20%3CA%20href%3D%22https%3A%2F%2Fwww.protectimus.com%2Ftokens%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EOATH%20hardware%20tokens%3C%2FA%3E.%20I%20believe%20this%20article%20can%20answer%20your%20question%20and%20provide%20information%20on%20how%20to%20implement%20hardware%20tokens%20while%20deploying%20Azure%20MFA%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-mfa-getstarted%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-mfa-getstarted%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-918840%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918840%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20created%20a%20number%20of%20bulk%20programmatic%20approaches%20to%20prepare%20and%20assign%20users%20hardware%20tokens%20(200%20for%20now)%20for%20TOTP%20use.%26nbsp%3B%20One%20area%20we%20haven't%20found%20a%20solution%20for%20is%20bulk%20activating%20the%20tokens%20once%20ingested%20into%20the%20portal%20-%20we%20have%20programmatic%20ways%20to%20leverage%20the%20assigned%20secret%20key%20for%20each%20token%20to%20generate%20the%20TOTP%20pin%20for%20activation%2C%20but%20know%20of%20no%20way%20to%20call%20for%20the%20activation%20itself%20-%20is%20there%20a%20solution%20today%20that%20can%20accomplish%20this%20task%20outside%20of%20individually%20'clicking'%20to%20activate%20with%20the%20a%20code%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-918878%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918878%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F428956%22%20target%3D%22_blank%22%3E%40jjordon%3C%2FA%3E%20-%20We%20don't%20support%20this%20capability%20today%2C%20we%20will%20consider%20it%20for%20future%20release.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-966825%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-966825%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20way%20to%20generate%20temp%20token%20on%20behalf%20of%20user%20when%20they%20call%20support%20and%20provide%20access%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-976867%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-976867%22%20slang%3D%22en-US%22%3EHi!%20Noob%20question%20here%20but%20I%20can't%20quite%20understand%20our%20MFA%20options%20when%20using%20PTA%20instead%20of%20ADFS.%20I%20read%20we%20can%2C%20under%20Conditional%20Access%2C%20use%20some%203rd%20party%20MFA%20solutions%20(like%20Gemalto%2C%20Duo%2C%20RSA...)%20but%20what%20would%20be%20the%20point%2C%20really%3F%20Only%20having%20the%20possibility%20to%20also%20use%20hardware%20tokens%3F%20I%20don't%20get%20it.%20BTW%2C%20we%20already%20have%20P1%20or%20P2%20(don't%20remember%20which...)%20Our%20need%20is%20simply%20%3A%20Adding%20MFA%20with%20%22phone-as-a-token%22%20and%20hardware%20token%20solutions%2C%20combined%20with%20CARTA%20(Continuous%20Adaptive%20Risk%20and%20Trust%20Assessment)%20capabilities.%20Thanking%20you%20in%20advance.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1016507%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1016507%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20would%20be%20useful%20if%20there%20was%20an%20Azure%20role%20that%20could%20be%20assigned%20to%20a%20helpdesk%20user%20to%20just%20allow%20manipulation%20of%20the%20hardware%20tokens.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1133202%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1133202%22%20slang%3D%22en-US%22%3E%3CP%3EWhy%20isn't%20this%20out%20of%20preview%20yet%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1133546%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1133546%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Michael%20-%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20have%20been%20other%20MFA%20priorities%20ahead%20of%20this.%26nbsp%3B%20Sorry%20it%20is%20taking%20so%20long.%20We%20are%20doing%20our%20best%20to%20get%20everything%20in%20MFA%20to%20GA%20in%20the%20next%206%20months.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%2C%3C%2FP%3E%0A%3CP%3EAlex%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1225424%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1225424%22%20slang%3D%22en-US%22%3E%3CP%3Ewhether%20entrust%20token%20supported%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1225426%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1225426%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3BPlease%20let%20us%20know%20whether%20entrust%20token%20supported%20for%20azure%20mfa.%20if%20it%20is%20supported%2C%20can%20you%20please%20share%20some%20documents%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1345579%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1345579%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Alex%2C%20can%20you%20please%20give%20us%20an%20update%20when%20you%20expect%20the%20hardware%20OATH%20token%20feature%20to%20come%20out%20of%20GA%3F%20According%20to%20your%20last%20statement%20it%20could%20be%20soon.%20Our%20usecase%20is%20to%20supply%20the%20part%20of%20our%20big%20workforce%20that%20does%20not%20have%20a%20company%20phone%20and%20does%20not%20want%20to%20use%20their%20private%20devices%20with%20hardware%20tokens.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1345771%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1345771%22%20slang%3D%22en-US%22%3E%3CP%3Eall%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eplease%20let%20us%20know%20if%20entrust%20Hardware%20token%20or%20soft%20token%20supported%20with%20Azure%20mfa%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1398974%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1398974%22%20slang%3D%22en-US%22%3E%3CP%3EAny%20update%20on%20support%20for%20OATH%20token%20self-registration%20for%20users%3F%26nbsp%3B%20Or%20even%20just%20an%20API%20we%20could%20call%20so%20that%20we%20could%20build%20our%20own%3F%26nbsp%3B%20We're%20trying%20to%20migrate%20from%20Azure%20MFA%20Server%20and%20also%20in%20the%20process%20of%20migrating%20from%20older%20USB%20tokens%20to%20OATH%20tokens%2C%20and%20the%20lack%20of%20self-registration%20or%20the%20ability%20to%20automate%20the%20process%20is%20a%20blocker%20for%20us.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1459780%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1459780%22%20slang%3D%22en-US%22%3E%3CP%3EAny%20idea%20when%20this%20will%20come%20out%20of%20Public%20Preview%3F%26nbsp%3B%20I%20am%20concerned%20that%20this%20has%20been%20in%20Public%20Preview%20for%20nearly%202%20years.%26nbsp%3B%20It%20seems%20like%20an%20essential%20piece%20to%20an%20MFA%20rollout.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1502948%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1502948%22%20slang%3D%22en-US%22%3E%3CP%3EDo%20you%20have%20any%20new%20on%20support%20for%20SHA-256%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1522410%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1522410%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%2C%20Cool%20feature%20which%20released%20in%202018%2C%20and%20yet%20there%20is%20no%20custom%20RBAC%20role%20in%20Azure%20AD%20to%20deal%20with%20Hardware%20Token%20management.%20Why%20it's%20tagged%20to%20the%20Global%20Admin%3F%3C%2FP%3E%3CP%3E%3CSTRONG%3EThis%20is%20the%20response%20I%20got%20from%20Microsoft%20Premier%20Support.%20It's%20been%202%20Years%20and%20the%20PG%20is%20still%20figuring%20out%20on%20RBAC%3F%20I%20don't%20think%20so.%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3EAny%20thoughts%3F%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3E%3CSPAN%3EAt%20this%20time%2C%20we%20have%20received%20feedback%20on%20the%20requirement%20of%20a%20Directory%20role%20to%20manage%20MFA%20configuration%20on%20Azure%20AD.%20Currently%2C%20only%20the%20Global%20Administrator%20has%20access%20to%20MFA%20related%20blades.%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3E%3CSPAN%3EOur%20Product%20Group%20is%20working%20to%20have%20roles%20for%20MFA%20management%20as%20an%20improvement%20based%20on%20customer%20feedback%26nbsp%3Bbut%20unfortunately%2C%20we%20have%20no%20ETA%20on%20when%20this%20will%20be%20available%20on%20Azure%20AD.%3C%2FSPAN%3E%3C%2FEM%3E%3CEM%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CEM%3E%3CSPAN%3EWe%20apologize%20on%20any%20inconvenience%20or%20confusion%20this%20could%20cause.%20Please%20feel%20free%20to%20let%20me%20know%20any%20questions%20or%20concerns%20on%20this%20in%20which%20I%20could%20help.%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-276466%22%20slang%3D%22en-US%22%3EHardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-276466%22%20slang%3D%22en-US%22%3E%3CP%3EHowdy%20folks!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%E2%80%99m%20excited%20to%20announce%20the%20public%20preview%20of%20hardware%20OATH%20tokens%20in%20Azure%20Multi-Factor%20Authentication%20(Azure%20MFA)%20in%20the%20cloud!%20We%E2%80%99ve%20had%20several%20phone-based%20methods%20available%20since%20launching%20Azure%20MFA%2C%20and%20we%E2%80%99ve%20seen%20incredible%20adoption.%20But%20many%20of%20our%20customers%20have%20users%20who%20don%E2%80%99t%20have%20a%20phone%20available%20when%20they%20need%20to%20authenticate.%20Today%2C%20MFA%20is%20available%20for%20those%20users%20too!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAt%20the%20same%20time%2C%20we%20added%20support%20for%20multiple%20MFA%20devices.%20Your%20users%20can%20now%20have%20up%20to%20five%20devices%20in%20any%20combination%20of%20hardware%20or%20software%20based%20OATH%20tokens%20and%20the%20Microsoft%20Authenticator%20app.%20This%20gives%20them%20the%20ability%20to%20have%20backup%20devices%20ready%20when%20they%20need%20them%20and%20to%20use%20different%20types%20of%20credentials%20in%20different%20environments.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMultiple%20device%20support%20is%20available%20for%20all%20users%20with%20Azure%20Active%20Directory%20(Azure%20AD)%20MFA%20in%20the%20cloud.%20Hardware%20OATH%20tokens%20are%20available%20for%20users%20with%20an%20Azure%20AD%20Premium%20P1%20or%20P2%20license.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECheck%20out%20our%20%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-authentication-methods%23oath-hardware-tokens%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ecredential%20docs%3C%2FA%3E%3C%2FSPAN%3E%20and%20read%20on%20to%20try%20out%20hardware%20OATH%20tokens%20in%20your%20tenant.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1505537623%22%20id%3D%22toc-hId-1505537623%22%20id%3D%22toc-hId-1505537623%22%20id%3D%22toc-hId-1505537623%22%20id%3D%22toc-hId-1505537623%22%20id%3D%22toc-hId-1505537623%22%20id%3D%22toc-hId-1505537623%22%20id%3D%22toc-hId-1505537623%22%20id%3D%22toc-hId-1505537623%22%20id%3D%22toc-hId-1505537623%22%20id%3D%22toc-hId-1505537623%22%20id%3D%22toc-hId-1505537623%22%20id%3D%22toc-hId-1505537623%22%20id%3D%22toc-hId-1505537623%22%20id%3D%22toc-hId-1505537623%22%20id%3D%22toc-hId-1505537623%22%20id%3D%22toc-hId-1454715074%22%3ESupport%20for%20OATH%20tokens%20for%20Azure%20MFA%20in%20the%20cloud%3C%2FH3%3E%0A%3CP%3EFirst%2C%20you%20will%20need%20some%20OATH%20tokens%20from%20the%20vendor%20of%20your%20choice.%20You%20can%20use%20any%20OATH%20TOTP%20token%20with%20a%2030-%20or%2060-second%20refresh%20that%20has%20a%20secret%20key%20of%20128%20characters%20or%20less.%20Some%20vendors%20include%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3E%3CA%20href%3D%22http%3A%2F%2Fwww.deepnetsecurity.com%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EDeepNet%20Security%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.token2.com%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EToken2%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.yubico.com%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EYubico%3C%2FA%3E%3C%2FSPAN%3E%20(Requires%20an%20accessory%20app.)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EBecause%20OATH%20is%20a%20standard%2C%20you%E2%80%99re%20not%20locked%20to%20a%20single%20vendor%20or%20form%20factor.%20Once%20you%20purchase%20the%20keys%20from%20your%20vendor%2C%20they%20need%20to%20send%20you%20a%20file%20with%20a%20secret%20key%2C%20serial%20number%2C%20time%20interval%2C%20manufacturer%2C%20and%20model%20for%20each%20token.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20assign%20the%20tokens%20to%20users%2C%20edit%20that%20file%20to%20add%20your%20user%E2%80%99s%20user%20principal%20names%20(usually%20their%20email%20address)%20and%20then%20upload%20it%20to%20%3CSTRONG%3EAzure%20Porta%3C%2FSTRONG%3El%20%26gt%3B%20%3CSTRONG%3EAzure%20Active%20Directory%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EMFA%20Server%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EOATH%20tokens%3C%2FSTRONG%3E.%20Make%20sure%20to%20use%20the%20format%20described%20in%20the%20%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-authentication-methods%23oath-hardware-tokens%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Edocs%3C%2FA%3E%3C%2FSPAN%3E%E2%80%94the%20secret%20is%20in%20base%2032!%20Also%20keep%20the%20header%20row%20in%20the%20file.%20Then%2C%20activate%20each%20token%20and%20hand%20them%20out%20to%20your%20users.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Azure%20MFA%20in%20the%20cloud.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F57943iE7E75D10219DD926%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Azure%20MFA%20in%20the%20cloud.png%22%20alt%3D%22Azure%20MFA%20in%20the%20cloud.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--1046619338%22%20id%3D%22toc-hId--1046619338%22%20id%3D%22toc-hId--1046619338%22%20id%3D%22toc-hId--1046619338%22%20id%3D%22toc-hId--1046619338%22%20id%3D%22toc-hId--1046619338%22%20id%3D%22toc-hId--1046619338%22%20id%3D%22toc-hId--1046619338%22%20id%3D%22toc-hId--1046619338%22%20id%3D%22toc-hId--1046619338%22%20id%3D%22toc-hId--1046619338%22%20id%3D%22toc-hId--1046619338%22%20id%3D%22toc-hId--1046619338%22%20id%3D%22toc-hId--1046619338%22%20id%3D%22toc-hId--1046619338%22%20id%3D%22toc-hId--1046619338%22%20id%3D%22toc-hId--1097441887%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId-696190997%22%20id%3D%22toc-hId-696190997%22%20id%3D%22toc-hId-696190997%22%20id%3D%22toc-hId-696190997%22%20id%3D%22toc-hId-696190997%22%20id%3D%22toc-hId-696190997%22%20id%3D%22toc-hId-696190997%22%20id%3D%22toc-hId-696190997%22%20id%3D%22toc-hId-696190997%22%20id%3D%22toc-hId-696190997%22%20id%3D%22toc-hId-696190997%22%20id%3D%22toc-hId-696190997%22%20id%3D%22toc-hId-696190997%22%20id%3D%22toc-hId-696190997%22%20id%3D%22toc-hId-696190997%22%20id%3D%22toc-hId-696190997%22%20id%3D%22toc-hId-645368448%22%3ESupport%20for%20multiple%20devices%20in%20Azure%20MFA%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20addition%20to%20hardware%20tokens%2C%20we%20also%20rolled%20out%20support%20for%20multiple%20authenticator%20devices.%20Your%20users%20can%20now%20have%20up%20to%20five%20devices%20across%20the%20Authenticator%20app%2C%20software%20OATH%20tokens%2C%20and%20hardware%20OATH%20tokens.%20This%20is%20great%20to%20give%20your%20users%20different%20devices%20for%20different%20environments%20and%20to%20let%20them%20have%20backup%20devices%20in%20case%20they%20lose%20one%20or%20forget%20one%20at%20home.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMultiple%20device%20support%20is%20available%20today%20for%20all%20users%E2%80%94there%E2%80%99s%20nothing%20you%20need%20to%20do%20to%20get%20started!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThese%20are%20just%20the%20start%20of%20a%20lot%20of%20changes%20we%E2%80%99re%20making%20to%20MFA%20and%20authentication%20in%20Azure%20as%20we%20drive%20toward%20a%20password-less%20future%2C%20so%20stay%20tuned%20here%20to%20learn%20more%20about%20the%20amazing%20developments%20as%20they%20come.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20also%26nbsp%3Blet%20us%20know%20what%20you%20think%20in%20the%20comments%20below.%20As%20always%2C%20we%E2%80%99d%20love%20to%20hear%20any%20feedback%20or%20suggestions%20you%20have.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20regards%2C%3C%2FP%3E%0A%3CP%3EAlex%20Simons%20(-ERR%3AREF-NOT-FOUND-%3CSPAN%3E%5B%23%24dp73%5D%40Alex_A_Simons%3C%2FSPAN%3E%26nbsp%3B)%3C%2FP%3E%0A%3CP%3ECorporate%20VP%20of%20Program%20Management%3C%2FP%3E%0A%3CP%3EMicrosoft%20Identity%20Division%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-276466%22%20slang%3D%22en-US%22%3E%3CP%3EI%E2%80%99m%20excited%20to%20announce%20the%20public%20preview%20of%20hardware%20OATH%20tokens%20in%20Azure%20Multi-Factor%20Authentication%20(Azure%20MFA)%20in%20the%20cloud!%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-276466%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EProduct%20Announcements%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1610839%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1610839%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F53477%22%20target%3D%22_blank%22%3E%40Alex%20Simons%20(AZURE)%3C%2FA%3E%26nbsp%3B-%20Is%20there%20a%20way%20for%20admins%20to%20delete%20the%20authenticator%20apps%20set%20up%20by%20the%20user%2C%20in%20case%20if%20a%20user%20has%20registered%20for%20more%20than%20five%20authenticator%20apps%20and%20unable%20to%20login%20to%20myaccount%20as%20it's%20MFA%20enabled%20%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%2C%3C%2FP%3E%0A%3CP%3EPadma%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1610883%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1610883%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F690905%22%20target%3D%22_blank%22%3E%40paparth%3C%2FA%3E%26nbsp%3BDoes%20AAD%20allow%20to%20register%20more%20than%205%20Authenticators%20for%20end%20users%26nbsp%3Bwhen%20it%E2%80%99s%20limited%20by%20admin%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1612585%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1612585%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F15060%22%20target%3D%22_blank%22%3E%40Alexey%20Goncharov%3C%2FA%3E%26nbsp%3B-%20Nope%2C%20it%20doesn't.%20Upon%20sixth%20attempt%20to%20set%20up%20authenticator%20app%2C%20an%20error%20is%20thrown%20%22You%20cannot%20have%20more%20than%205%20hardware%20tokens%20or%20authenticator%20apps....%22%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1614348%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1614348%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F690905%22%20target%3D%22_blank%22%3E%40paparth%3C%2FA%3E%26nbsp%3BI%E2%80%99m%20trying%20to%20get%20better%20understanding%20of%20your%20use%20case%20scenario%20when%20IT%20admins%20involvement%20might%20be%20required%20in%20the%20self-service%20environment%2C%20where%20end-users%20are%20managing%20their%202FAs%20by%20themselves%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1614788%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1614788%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F15060%22%20target%3D%22_blank%22%3E%40Alexey%20Goncharov%3C%2FA%3E%26nbsp%3B-%20Let's%20assume%20the%20below%2C%3C%2FP%3E%0A%3CP%3E1.%20Tenant%20A%20has%20MFA%20enabled%20for%20all%20users%20and%20configured%20the%20authenticator%20app%20as%20the%20only%20second%20factor%20(unable%20to%20enable%20other%20factors%20like%20SMS%2Fe-mail%20due%20to%20security%20reasons)%3C%2FP%3E%0A%3CP%3E2.%20User%20X%20from%20Tenant%20A%20had%20registered%20the%20authenticator%20app%20five%20times%3C%2FP%3E%0A%3CP%3E3.%20User%20X%20has%20either%20lost%20or%20changed%20five%20devices%20(device%20is%20not%20in%20possession)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20user%20X%20logs%20into%20myapps%2Fmyaccount%2C%20it%20prompts%20for%20second%20factor.%20Since%20the%20user%20do%20not%20have%20a%20way%20to%20receive%20the%20second%20factor%2C%20user%20is%20unable%20to%20login.%20User%20then%20calls%20the%20admin%20and%20admin%20resets%20the%20user's%20MFA%20registration%20status.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20the%20user%20logs%20in%20again%2C%20user%20is%20prompted%20to%20register%20for%20second%20factor%20(which%20is%20mobile%20app)%2C%20when%20user%20tries%20to%20register%20the%20authenticator%20app%20for%20the%20sixth%20time%2C%20user%20receives%20an%20error%20%22%3CSPAN%3EYou%20cannot%20have%20more%20than%205%20hardware%20tokens%20or%20authenticator%20apps....%22%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ENow%20the%20user%20cannot%20delete%20the%20existing%20registration%20since%20myapps%2Fmyaccounts%20are%20MFA%20enabled%20and%20there%20is%20no%20way%20for%20admin%20to%20delete%20those%20user%20registrations.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThis%20is%20a%20kind%20of%20weird%20scenario%2C%20but%20not%20uncommon%20as%20few%20customers%20are%20experiencing%20this.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1617325%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1617325%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F690905%22%20target%3D%22_blank%22%3E%40paparth%3C%2FA%3E%26nbsp%3B%20Thanks%20for%20the%20detailed%20response%2C%20it%E2%80%99s%20really%20weird%20scenario%2C%20I%20fully%20agree%20with%20you.%20Perhaps%2C%20it%20might%20be%20easier%20to%20enable%20a%20temporary%20exception%20on%20Conditional%20Access%20rules%20(for%20instance%2C%20via%20temporary%20Azure%20AD%20group%20membership)%20to%20allow%20a%20user%20X%20to%20deactivate%20unused%2Funavailable%202FAs%20and%20enroll%20a%20new%20one%2C%20for%20example%20FIDO2%20key(s).%20I%20strongly%20believe%20that%20self-service%20capabilities%20provided%20by%20IT%20folks%20to%20end%20users%20should%20prevail%20in%20such%20scenarios%2C%20as%20it%E2%80%99s%20usually%20more%20scalable%20and%20reliable%20solution%20in%20the%20long%20term.%20Moreover%2C%20it%E2%80%99s%20more%20cost%20effective%20%3B)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1621840%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1621840%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F15060%22%20target%3D%22_blank%22%3E%40Alexey%20Goncharov%3C%2FA%3E%26nbsp%3B-%20Thanks.%20Temporary%20exception%20with%20CA%20and%20with%20MFA%20enabled%20still%20forces%20the%20user%20for%20MFA.%20If%20you%20disable%20MFA%2C%20the%20link%20to%20update%2Fremove%20the%20registered%20apps%20in%20myaccount%20disappears.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1698247%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1698247%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F428956%22%20target%3D%22_blank%22%3E%40jjordon%3C%2FA%3E%26nbsp%3B-%20there%20is%20apparently%20a%20way%20to%20bulk%20activate%20as%20well%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmedium.com%2F%40token2%2Fhow-to-bulk-activate-oath-hardware-tokens-with-azure-mfa-f551eaa00501%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmedium.com%2F%40token2%2Fhow-to-bulk-activate-oath-hardware-tokens-with-azure-mfa-f551eaa00501%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1719827%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1719827%22%20slang%3D%22en-US%22%3E%3CP%3EI'd%20also%20like%20to%20know%20about%20SHA256%20support%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1802437%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1802437%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20a%20hardware%20token%20supported%20in%20a%20WVD%20and%20or%20a%20Citrix%20VDI%20scenario%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20would%20be%20useful%20in%20scenario%20in%20a%20call%20centre%20environment%20where%20users%20are%20not%20allowed%20to%20use%20their%20mobile%20device%20so%20cannot%20receive%20an%20sms%2C%20or%20use%20the%20authenticator%20app%20to%20retrieve%20their%20passcode.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1950386%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1950386%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20about%20these%20software%20solutions%3A%3C%2FP%3E%3COL%3E%3CLI%3EAuthy%3A%20Free%20software%2C%20compatible%20also%20with%20Mac.%20Not%20open%20source%20and%20it%20requires%20a%20phone%20number%20to%20validate%20the%20user.%20%3CA%20href%3D%22https%3A%2F%2Feur02.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fauthy.com%252F%26amp%3Bdata%3D04%257C01%257Cchristif%2540unhcr.org%257Ccf41b2c2b6f640d669f108d88a2b8273%257Ce5c37981666441348a0c6543d2af80be%257C0%257C0%257C637411266758082809%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DSnX539hihqR663NG2rHmm%252FxZambSo7ODans3wPunLzY%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fauthy.com%2F%3C%2FA%3E%3C%2FLI%3E%3CLI%3EWinauthy.%20Opensource%2C%20very%20easy%20to%20use.%20%3CA%20href%3D%22https%3A%2F%2Feur02.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fgithub.com%252Fwinauth%252Fwinauth%26amp%3Bdata%3D04%257C01%257Cchristif%2540unhcr.org%257Ccf41b2c2b6f640d669f108d88a2b8273%257Ce5c37981666441348a0c6543d2af80be%257C0%257C0%257C637411266758092803%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DMchdK70Qut8b8z7D3YqsKpVakA0OUlNJSdbO6NhDRfk%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fwinauth%2Fwinauth%3C%2FA%3E%3C%2FLI%3E%3CLI%3E2%20Factor%20authenticator.%20Available%20in%20the%20Microsoft%20store%2C%20it%20can%20be%20made%20available%20in%20the%20company%20portal.%20%3CA%20href%3D%22https%3A%2F%2Feur02.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fwww.microsoft.com%252Fen-us%252Fp%252F2-factor-authenticator%252F9nblggh5k7jn%253Factivetab%253Dpivot%253Aoverviewtab%2523%26amp%3Bdata%3D04%257C01%257Cchristif%2540unhcr.org%257Ccf41b2c2b6f640d669f108d88a2b8273%257Ce5c37981666441348a0c6543d2af80be%257C0%257C0%257C637411266758092803%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DlQ1dMhqvMd34Ria2POLQfQwptAUwdy9Jk0ihe43rfhI%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fp%2F2-factor-authenticator%2F9nblggh5k7jn%3Factivetab%3Dpivot%3Aoverviewtab%23%3C%2FA%3E%3C%2FLI%3E%3CLI%3EOracle%20mobile%20authenticator%20on%20Microsoft%20store%2C%20it%20can%20be%20made%20available%20in%20the%20company%20portal.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fit-it%2Fp%2Foracle-mobile-authenticator%2F9nblggh4nsh8%3Factivetab%3Dpivot%3Aoverviewtab%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fit-it%2Fp%2Foracle-mobile-authenticator%2F9nblggh4nsh8%3Factivetab%3Dpivot%3Aoverviewtab%3C%2FA%3E%3C%2FLI%3E%3C%2FOL%3E%3CP%3EAt%20the%20end%20you%20cannot%20stop%20users%20to%20use%20them.%20Winauthy%20for%20example%20it's%20a%20portable%20one.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3EChristian%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2067964%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2067964%22%20slang%3D%22en-US%22%3E%3CP%3ELooking%20for%20functional%2C%20GEO-Poli%2C%20other%20opinions%20on%20Protectimus%26nbsp%3B%40%20Ukraine%20products%3F%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.linkedin.com%2Fsearch%2Fresults%2Fpeople%2F%3FcurrentCompany%3D%255B%25223602018%2522%255D%26amp%3Borigin%3DCOMPANY_PAGE_CANNED_SEARCH%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fwww.linkedin.com%2Fsearch%2Fresults%2Fpeople%2F%3FcurrentCompany%3D%255B%25223602018%2522%255D%26amp%3Borigin%3DCOMPANY_PAGE_CANNED_SEARCH%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20have%20functional%20experience%20with%20either%20of%20these%20products%20-%20I%20would%20appreciate%20your%20commentary.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.protectimus.com%2Fflex%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fwww.protectimus.com%2Fflex%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.protectimus.com%2Fprotectimus-slim-mini%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fwww.protectimus.com%2Fprotectimus-slim-mini%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Jul 24 2020 01:51 AM
Updated by: