Request for registration of OATH token and connection to user:
We would like you to allow end users to register OATH token by themselves as well as other multi-factor authentication notifications (i.e. telephone and SMS)
If our request above is not permitted, please consider the following to reduce the time and effort of the administrator:
- Registering OATH token information prior to registration of associated user information
- Connecting the user and OATH token by GUI operation from Azure portal instead of importing CSV
- No entering authentication code when activating OATH token
For not entering an authentication code when activating tokens:
If you don't have tokens from companies which offer a solution for their paying customers, there's a script available here which can import OATH tokens (from any brand) via a script: https://github.com/Deofex/ActivateOATHTokensInBulkAzure
-The script imports the CSV file you use to import the tokens in Azure
-Looks or the token is still unactivated
-If the token isn't activated yet, it will generate an OTP code from the secret key inthe CSV and use the Azure API to activate it.
This isn't a solution for your request, but because some commercial parties where active in here and it's related, I thought it would be nice to share it here :)
James Bond commented
>>No entering authentication code when activating OATH token
Deepnet Security has developed a solution that allow you to bulk activate and/or remove OATH tokens in Azure AD. See link below:
>> Registering OATH token information prior to registration of associated user information
>> Connecting the user and OATH token by GUI operation from Azure portal instead of importing CSV
Deepnet Security is also working a solution for those as well.
T2 Guy Pidancet commented
In case you need to bulk activate imported tokens, we have a workaround:
Jitendra Shaw commented
Consider this requirement as immediate need of time and prioritize it.
OATH tokens are useful in specific scenarios e.g. user cannot carry mobile device due to security measures or safety hazard.
Until simplification of OATH token is not available, cloud MFA is not comprehensive solution.
Current process to activate an OATH token is cumbersome, error prone and need Global Administrators (GA) valuable time. Just imagine all GA's time required for OATH token registration and activation, if an organization have 10000+ users who have to use OATH tokens.
Rather than moving to automation and self registration, Azure AD users and GAs are stuck to manual/admin controlled process for OATH token as MFA offering.
OATH registration can be done by GAs by BULK load operation but activation must be available as self service method for end user who have hardware token with them.
Shashi P commented
Any update on permissions MS?,
Global Admins can not manage OATH tokens for activation and adding and removing users. It would be nice if there is a role that makes it possible to non Global admins to administer tokens.
This limitation is practically making HW tokens not usable.
Daniel Gull commented
Is there some preview planned soon? Microsoft recommends everywhere to setup MFA for all users but we cannot do the deployment without the OAUTH self-registrations/activation function.
David S. commented
Any update MS? Anyone that planning to use OATH tokens with large bulk deployment can not activate each token one at a time since it would consume a huge amount of time for the global admins. Why can't global admin's upload the all the required info as with the csv and let the user activate the assigned token like another MFA method. Maybe it's not an issue after you done deploying your tokens to make changes to one or two tokens, but if your deploying 2000+ tokens I could not think about the amount of time it would take to activate each token one at at time.
Joe Stocker commented
one company has figured out a way around this - Token2.ch
The idea/ request is shared almost an half year ago an still no registration/ activation option from user perspective.
What i would like to see (like others also mentioned):
I'm as global admin able to bulk add and activate tokens, but...
1. Adding tokens and ACTIVATING OATH tokens should also be able with less privileges (the only way now is to do this as global admin)
(please don't mention privileged admin roles in azure- not working)
2. Users should be able to activate the (already uploaded tokens and secrets by admins) themselves.
as long as these main point are not in place it will take too much time and effort to implement this solution
Grant Hope commented
This is a must
As an admin also, it is very time consuming to have to manually activate each OATH token. I have an organization of 15k+ users, and there's not enough resource to individually insert each key to activate on top of preventing keys getting mixed with each other.
Cody Hussey commented
As an admin, I should be able to bulk upload OATH hardware tokens, and not have to then manually active each one. This is just as time consuming and defeats the purpose or bulk upload.
I agree with that request.
It's a nice idea if end users set tokens by self!
Azure MFA has few the features to manage OATH hardware tokens compared to MFA Server.
In many organizations, it is impossible to register UPN, SERIAL NUMBER, SECRET KEY simultaneously.
Users can setup to token by self using SERIAL NUMBER, if Azure MFA has the following features:
* a feature to register OATH hardware token.
* a feature to assign tokens to accounts.