Hardware Tokens for Azure MFA

There are currently two ways to implement an Azure hardware token for Azure Multi-Factor Authentication:

  • With classic OATH tokens for Azure MFA with hard-coded secret keys, such as Protectimus Two. To make use of one of these you’ll need Azure AD Premium P1 or P2 license.
  • With a programmable hardware token for Azure MFA Protectimus Slim NFC or Protectimus Flex which is a replacement for an authentication app from Microsoft. This Azure cloud MFA hardware token does not require a premium subscription account.

In this article, we will describe how to set up both types of hardware tokens for Azure token-based authentication. All three devices can be bought here.

Classic OATH hardware tokens for Azure MFA – how to set up

Currently, Azure AD supports tokens with passwords not longer than 128 characters and password life-span of 30 and 60 seconds. Protectimus Two hardware OTP tokens fit these requirements.

Once you choose and receive the Azure MFA OATH token you prefer you need to register your token with Azure. Below is the step-by-step guide on this simple process:

Step 1. Prepare a CSV file that includes your UPN (user principal name), the serial number of the hardware token Azure MFA, the seed (secret key), time interval, make and model of the Azure AD MFA hardware token. Make sure to include a header row, the result should look something like this:

How to add OATH tokens to Azure MFA

Step 2. Once the CSV file is created and properly formatted it has to be imported. Go to Azure Portal and browse to Azure Active Directory, then to Security and to Multi-Factor Authentication. On the MFA page choose OATH tokens and click the “Upload” button. Upload your CSV file; the upload process might take a few minutes.

Azure two-factor authentication hardware tokens setup

Step 3. Click the “Refresh” button. If the CSV file was uploaded successfully you will see a list of your Azure AD hardware tokens, if the file had an error you will be notified on the same page:

File uploaded successfully:

Azure Multi Factor authentication Oath hardware tokens setup

File uploaded with errors:

Azure 2-factor authentication OATH hardware tokens

Step 4. Now you need to activate your Azure multi-factor authentication hardware token. If you have multiple tokens, you should activate them one by one. Click the “Activate” button at the lattermost column on the right and enter the password generated by the corresponding Azure MFA token. After that, click the “Verify” button.

Azure OATH tokens setup

Step 5. Once the MFA server accepts your one-time password you will get a message confirming the activation of the Microsoft Azure token you selected from the list and there should appear a check mark in the corresponding “Activated” column. Now your token is successfully activated and can be used to log in.

OATH tokens for Azure MFA setup - activated

Step 6. 2FA settings in the user account.

OATH tokens will be automatically set as a main 2FA method.

NOTE! If any other 2-factor authentication method is registered for a user, they can use several two-factor authentication methods at once. For example, I activated a 2FA app Protectimus SMART as a 2FA methos, in this case, both one-time passwords from hardware token and 2FA app will work when I enter any of them in this field:

Azure MFA OATH token setup - step 7

If you want to use only a hardware OATH token for Azure 2-factor authentication, login to your account and deactivate other two-factor authentication methods.

  1. Go to your account settings page at https://myaccount.microsoft.com/?ref=MeControl
  2. Navigate to the Security Info tab.
  3. Delete two-factor authentication methods you don’t need.
Azure MFA OATH token setup - step 8

Programmable hardware tokens for Azure MFA

As has already been mentioned above – to use a classic Microsoft Azure MFA hardware token you need to have a premium subscription. But we know that not everyone is ready to pay 6 euros per month per one user. If you are not ready to pay too, programmable hardware tokens Protectimus Slim NFC or Protectimus Flex is the way to go for you. These tokens are recognized as authentication apps by the Azure MFA system, so you do not need a premium license to use them.

Adding Protectimus Slim NFC or Protectimus Flex as a recognized second factor of authentication to your Azure MFA is pretty straightforward. All you need to do is log into the MFA setup page, configure the authentication to recognize your Azure authentication token and program the device itself to be used for Azure MFA. The whole process takes mere minutes and is described in detail here.

Common questions

1. What about time-drift support in Azure MFA?

Microsoft does not provide any exact info on time drift with Azure MFA, but the implementation has been said to be based on RFC 6238 which suggests that the time drift is indeed supported. Azure MFA allows one-time passwords within a time range of 900 seconds, this means time drift support is not really necessary. But if you’d like to keep time drift issue under control, use Protectimus Slim NFC or Protectimus Flex tokens, which have a time synchronization feature now. The time is resynchronized when a secret key is flashed to the token.

2. Why hardware token is better for Azure MFA than 2FA apps, SMS, and phone calls?

A hardware token is by far the most bulletproof protection you can get for your data stored on a cloud. Such a device generates secure passwords without and needs no network connection whatsoever. With a hardware token you have an impenetrable wall between your data and anyone who tries to steal it. There’s simply no way for hackers to infect the device or intercept the generated codes. And if a hardware token is stolen or lost you most probably will notice it immediately, whereas with an infected app or intercepted SMS you might not know any damage is done before it’s too late.

3. Can I order hardware token with my company logo?

If you want Protectimus Slim NFC you can have the device branded even if your order is as small as one token. With Protectimus TWO custom branding is offered for orders over 1000 devices.

4. Does Protectimus Slim NFC support multiple secret keys (seeds)?

No, this token allows for one seed at a time. But Protectimus Slim NFC can be programmed to work for a different resource once you stop using the one you initially programmed it for.

Read more:

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Author: Anna

If you have any questions about two-factor authentication and Protectimus products, ask Anna, and you will get an expert answer. She knows everything about one-time passwords, OTP tokens, 2FA applications, OATH algorithms, how two-factor authentication works, and what it protects against. Anna will explain the difference between TOTP, HOTP, and OCRA, help you choose a token for Azure MFA, and tell you how to set up two-factor authentication for Windows or Active Directory. Over the years with Protectimus, Anna has become an expert in cybersecurity and knows all about the Protectimus 2FA solution, so she will advise on any issue. Please, ask your questions in the comments.

Share This Post On

1 Comment

  1. The Upload is greyed out for me. Do I have to be Global Admin or can a helpdesk role work?

    Post a Reply

Leave a Reply to EPark Cancel reply

Your email address will not be published.

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from Protectimus blog.

You have successfully subscribed!

Share This