Provisioning programmable hardware tokens for Office 365 accounts remotely

Assumptions

• The provisioning is done by the IT person equipped with software and hardware that allows burning seeds onto programmable hardware tokens (i.e. an Android device with NFC, iPhone 7 or newer for “-i” models etc.). Exact requirements are listed on the product page of each model. No special admin access is needed as the provisioning needs to be done on behalf of the end-users

Problems to be addressed

• With Azure AD Free, there is no way for Global Admins to import existing seeds to Azure MFA (P1/P2 license is needed for this). Without AD Premium, the seed is automatically generated by the server and is shown as a QR code only to the end-user. Therefore, there is no way to configure this method in advance.

Instructions

1. Contact the user using a tool allowing screen sharing and ask to share the desktop. You can request control and perform the next operations yourself, or guide the user thru the next steps

Addressing login issues

Actions described in step 5 of provisioning instructions above should make sure the user stays logged in for an extended period (ideally for 60 days), which should allow enough time for the token to be delivered. However, there may be situations when the user is prompted to re-login (i.e. a different browser is used, or session cookie has been cleared, or browser storage was corrupted etc.). Follow the recommendations below in case the user needs to enter the OTP while the token is still being delivered.

Generate OTP from a secret

You can use the following tools to generate current OTP from a secret:

  • The recommended tool is our TOTPToolset(online or self-hosted version). Enter the stored secret in the Seed text field to get the OTPs generated. Please note that TOTPToolset can generate “future” and “past” OTPs in addition to the current one, it may make sense to use a future OTP if you plan to send it by email to make sure it stays valid for a longer period.
  • You can also use our command-line tool, T2OTP.exe, available here. The syntax to be used is:
  • t2otp.exe SECRET
  • For example "t2otp.exe 2sk2tsmkjp7kdbck" will generate one OTP for the secret “2sk2tsmkjp7kdbck

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store