We are constantly trying to get more security on login other then username and password, so Multi Factor Authentication (MFA) is a good solution, MFA combined with Azure AD conditional Access it a even better way. MFA is relatively easy to implement in a organisation where the end user has a company owned mobile phone or the end user is willing to use there own mobile phone, but there are industries where this is not possible so we need another solution
In October 2018 Microsoft announced the availability of OATH hardware token support in Azure MFA.

In my opinion it is a great alternative for Microsoft Authenticator app when the end user do not have a mobile device for a reason, but there is a overhead of administrative task like keeping control over what user have witch hardware token, but that just require a process and then you are ready to go.
I have testes :

• Token2
• Yubico (Requires an accessory app.)

In this case I do not like the Yubico key do to the requirement of a app – in this blog post I will show and tell of the process with the Token2 key – but because OATH is a standard, you’re not locked to a single vendor.
When you have purchase the OATH hardware keys from your vendor, there is some work you need to do:

1. Send a mail to Token2 at [email protected] with the serial numbers for you hardware tokens
2. You are getting a .csv back with the secret key, serial number, time interval, manufacturer, and model for each token.
3. Then you have to replace [email protected] with your end users UPN
4. Upload the .csv file to the AzureMFA
5. Activate the hardware tokens in Azure MFA
6. Deliver the right hardware token to the right end user

Then you are ready to go.

Requirement: Azure AD P1 or P2

Hardware OATH token

How to get the hardware token .csv file into Azure MFA:

Start your favorite portal for Azure AD : https://aad.portal.azure.com

1. Click Azure Active Directory
2. Click MFA

1. Click OATH tokens
2. Click Upload

Point to your .csv file you got from Token2 or any other vendor you have

After a success upload of the .csv file you can see a status – also if somethings have failed

Then you just need to activate the hardware token by clicking Activate

You will be prompted for a verification code that you get from the hardware token

After activation your tokens you can see the activation status in the portal

That is all you need to do – now you can deliverer the right hardware token to the right end user!

How does the end user experience look like:

When you get the sign in page for Azure AD the end user just enters there username as normal

After they entered the password – they will get the MFA challenge in this case a 5 digit code from the hardware token.

Some times the end user get a message that Azure AD need more information

Then they just need to verify there hardware token.

Happy deployment!

Read more:
Hardware OATH tokens in Azure MFA in the cloud are now available