Home

Hardware tokens with modern authentication office 365

%3CLINGO-SUB%20id%3D%22lingo-sub-1162715%22%20slang%3D%22en-US%22%3ERe%3A%20Hardware%20tokens%20with%20modern%20authentication%20office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1162715%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20yes%20there%20is%20support%20for%26nbsp%3BOATH%20hardware%20tokens%20but%20it%20does%20require%20extra%20licencing%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-authentication-methods%23oath-hardware-tokens-public-preview%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EOATH%20hardware%20tokens%20(public%20preview)%3C%2FA%3E%2C%26nbsp%3Bwith%20the%20announcement%20here%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fhardware-oath-tokens-in-azure-mfa-in-the-cloud-are-now-available%2Fba-p%2F276466%22%20target%3D%22_self%22%3EHardware%20OATH%20tokens%20in%20Azure%20MFA%20in%20the%20cloud%20are%20now%20available%3C%2FA%3E%26nbsp%3B(requires%20Azure%20AD%20Premium%20P1%20or%20P2%20license)%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22%3CEM%3EWe%E2%80%99ve%20had%20several%20phone-based%20methods%20available%20since%20launching%20Azure%20MFA%2C%20and%20we%E2%80%99ve%20seen%20incredible%20adoption.%20But%20many%20of%20our%20customers%20have%20users%20who%20don%E2%80%99t%20have%20a%20phone%20available%20when%20they%20need%20to%20authenticate.%20Today%2C%20MFA%20is%20available%20for%20those%20users%20too!%3C%2FEM%3E%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESeparately%2C%20there%20is%20support%20also%20for%20security%20keys%20for%20Azure%20AD%20with%20passwordless%20authentication%2C%20which%20is%20in%20preview%20but%20their%20use%20is%20rather%20limited%20at%20the%20moment.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%22%3CEM%3EFIDO2%20security%20keys%20are%20a%20great%20option%20for%20enterprises%20who%20are%20very%20security%20sensitive%20or%20have%20scenarios%20or%20employees%20who%20aren't%20willing%20or%20able%20to%20use%20their%20phone%20as%20a%20second%20factor.%3C%2FEM%3E%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20see%20more%20here%20including%20the%20supported%20scenarios%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-authentication-passwordless%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EPasswordless%20authentication%20options%3C%2FA%3E%26nbsp%3Bas%20well%20as%20the%20announcement%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fannouncing-the-public-preview-of-azure-ad-support-for-fido2%2Fba-p%2F746362%22%20target%3D%22_self%22%3EAnnouncing%20the%20public%20preview%20of%20Azure%20AD%20support%20for%20FIDO2-based%20passwordless%20sign-in%3C%2FA%3E.%26nbsp%3B%20Haven't%20seen%20confirmation%20of%20this%20but%20this%20would%20probably%20require%20Azure%20AD%20Premium%20P1.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20be%20fair%20it%20would%20be%20just%20easier%20to%20get%20staff%20to%20use%20the%20Authenticator%20app%2C%20I%20understand%20the%20resistance%20after%20recently%20onboarding%20600%20users%2C%20I%20encountered%20something%20similar%20but%20usually%2C%20after%20explaining%20to%20staff%2C%20it%20wasn't%20an%20issue%20with%20using%20their%20personnel%20device.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1159149%22%20slang%3D%22en-US%22%3EHardware%20tokens%20with%20modern%20authentication%20office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1159149%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20enabling%20Modern%20Authentication%20for%20our%20Office%20365%20users.%20Some%20of%20our%20users%20do%20not%20have%20a%20company%20cell%20phones%26nbsp%3B%20and%20they%20do%20not%20want%20to%20use%20their%20personal%20cellphones.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20we%20use%20hardware%20tokens%20for%20MFA%20if%20we%20do%20not%20have%20Azure%20MFA%20P1%3F%3C%2FP%3E%3CP%3EHardware%20tokens%20is%20a%20verification%20option%20for%20MFA%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Ozzy99_0-1581096246939.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F169727i144DBD46E96D6CDF%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Ozzy99_0-1581096246939.png%22%20alt%3D%22Ozzy99_0-1581096246939.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EAny%20idea%20how%20to%20set%20this%20up%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethank%20you%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1159149%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Visitor

We are enabling Modern Authentication for our Office 365 users. Some of our users do not have a company cell phones  and they do not want to use their personal cellphones.  

Can we use hardware tokens for MFA if we do not have Azure MFA P1?

Hardware tokens is a verification option for MFA

Ozzy99_0-1581096246939.png

Any idea how to set this up?

 

thank you

 

1 Reply
Highlighted

Hi, yes there is support for OATH hardware tokens but it does require extra licencing - OATH hardware tokens (public preview), with the announcement here - Hardware OATH tokens in Azure MFA in the cloud are now available (requires Azure AD Premium P1 or P2 license):

 

"We’ve had several phone-based methods available since launching Azure MFA, and we’ve seen incredible adoption. But many of our customers have users who don’t have a phone available when they need to authenticate. Today, MFA is available for those users too!"

 

Separately, there is support also for security keys for Azure AD with passwordless authentication, which is in preview but their use is rather limited at the moment.

 

"FIDO2 security keys are a great option for enterprises who are very security sensitive or have scenarios or employees who aren't willing or able to use their phone as a second factor."

 

You can see more here including the supported scenarios - Passwordless authentication options as well as the announcement - Announcing the public preview of Azure AD support for FIDO2-based passwordless sign-in.  Haven't seen confirmation of this but this would probably require Azure AD Premium P1.

 

To be fair it would be just easier to get staff to use the Authenticator app, I understand the resistance after recently onboarding 600 users, I encountered something similar but usually, after explaining to staff, it wasn't an issue with using their personal device.