Microsoft 365 or Azure AD offers the option of using a hardware token with the OATH TOTP standard for MFA instead of the authenticator app. A hardware token is just an alternative option to the classic popup on mobile. Likewise, there are Passwordless login with a FIDO Security Key or the Authenticator app. I have already written two posts on this.

Table of Contents

Why an OATH token?

Many attacks are successfully carried out due to insecure passwords or passwords that have been used more than once. That's why it's clear to me that every account must be protected with MFA or passwordless authentication. Nevertheless, I am always faced with the challenge of having to convince different people and organizations of this. Common counter-arguments are: "Not all my employees are willing to install a business app on their private smartphone." or: ""Some employees don't have a smartphone."
It is precisely in such situations that the well-known, classic hardware tokens can be popular again.

Setup: OATH TOTP hardware token for with Azure MFA


  • Azure Active Directory Plan 1 or 2
  • OATH TOTP tokens
    • TOTP (Time-based One-time Password) is important here, HOTP (Hash-based One-time Password) are not supported
    • Example of tokens: Feitian c200 or Token2 c202

Ordering an OATH token

In the case of the non-programmable token, a file with the serial number and secret key must also be requested when ordering. In a second step, this is filled into a CSV with the users (UPN) and imported into Azure AD.
The CSV then looks like this:

upn,serial number,secret key,time interval,manufacturer,model,1234567891011,ABCBISYZQWERTZUIO,30,Feitian,HardwareKeyCode language: CSS (css)

Import and Assignment

In fact, we have already made the assignment with the CSV. Now we have to import this.

To do this, we navigate in Azure AD to the OATH Settings (Security > MFA > OATH tokens) and upload the file. (Only possible as Global Administrator.)

OATH TOTP token upload Azure MFA

After a few seconds and a refresh, the user with the token is visible. The activation link is in the last column. This must be done once per user.

Azure MFA OATH token

We just enter the token shown on the display and click "OK".

OATH activation, Azure MFA

The status is then displayed with a tick as active:

OATH TOTP token activated in Azure MFA

Login with the hardware token

The login within Microsoft 365 or an Azure AD application works in the same way as with the authenticator app. The user enters his username and password and is then prompted to enter the token from the display.