We are constantly trying to get more security on login other then username and password, so Multi Factor Authentication (MFA) is a good solution, MFA combined with Azure AD conditional Access it a even better way. MFA is relatively easy to implement in a organisation where the end user has a company owned mobile phone or the end user is willing to use there own mobile phone, but there are industries where this is not possible so we need another solution
In October 2018 Microsoft announced the availability of OATH hardware token support in Azure MFA.

In my opinion it is a great alternative for Microsoft Authenticator app when the end user do not have a mobile device for a reason, but there is a overhead of administrative task like keeping control over what user have witch hardware token, but that just require a process and then you are ready to go.
I have testes :

In this case I do not like the Yubico key do to the requirement of a app – in this blog post I will show and tell of the process with the Token2 key – but because OATH is a standard, you’re not locked to a single vendor.
When you have purchase the OATH hardware keys from your vendor, there is some work you need to do:

  1. Send a mail to Token2 at office@token2.com with the serial numbers for you hardware tokens
  2. You are getting a .csv back with the secret key, serial number, time interval, manufacturer, and model for each token.
  3. Then you have to replace user@domain.tld with your end users UPN
  4. Upload the .csv file to the AzureMFA
  5. Activate the hardware tokens in Azure MFA
  6. Deliver the right hardware token to the right end user


Then you are ready to go.

Azure AD P1 or P2
Hardware OATH token

How to get the hardware token .csv file into Azure MFA:

Start your favorite portal for Azure AD : https://aad.portal.azure.com

  1. Click Azure Active Directory
  2. Click MFA

AzureAD - MFA Token 01

  1. Click OATH tokens
  2. Click Upload

AzureAD - MFA Token 03

Point to your .csv file you got from Token2 or any other vendor you have

AzureAD - MFA Token 04

After a success upload of the .csv file you can see a status – also if somethings have failed

AzureAD - MFA Token 05

Then you just need to activate the hardware token by clicking Activate

AzureAD - MFA Token 06

You will be prompted for a verification code that you get from the hardware token

AzureAD - MFA Token 06a

After activation your tokens you can see the activation status in the portal

AzureAD - MFA Token 07

That is all you need to do – now you can deliverer the right hardware token to the right end user!

How does the end user experience look like:

When you get the sign in page for Azure AD the end user just enters there username as normal

AzureAD - MFA Token UX 000

After they entered the password – they will get the MFA challenge in this case a 5 digit code from the hardware token.

AzureAD - MFA Token UX 001

Some times the end user get a message that Azure AD need more information

AzureAD - MFA Token UX 01

Then they just need to verify there hardware token.

AzureAD - MFA Token UX 02

Happy deployment!

Read more:
Hardware OATH tokens in Azure MFA in the cloud are now available