Automating Upload and Activation of Hardware Tokens for Azure MFA

We’ve had to prepare to enrol a large number of physical hardware tokens into Microsoft MFA. Unfortunately Microsoft do not currently provide a way to do with their own PowerShell suite. The process of adding new tokens can be quite time consuming.

To overcome this I’ve written a PowerShell script that can be used to automate the process of importing and activating hardware TOPT tokens.

WARNING: This method uses undocumented Microsoft APIs and should be used with caution and considered unsupported.

How it Works

  • Looks up the seed for a serial number from a CSV file (from your token provider)
  • Uploads the token details and provided UPN to Azure MFA
  • Waits for upload to finish
  • Generates a TOPT token based off the tokens seed
  • Actives the hardware token


  • Azure Powershell Module: Install-Module -Name Az -AllowClobber
  • CSV file from token supplier in the Azure MFA hardware token format, see: Microsoft Documentation

CSV Header:

upn,Serial Number,Secret Key,Time Interval,Manufacturer,Model


  • Authenticate a PowerShell session using Connect-AzAccount.
  • Invoke the PowerShell script as follows:
.\Add-AzureMfaToken.ps1 `
    -upn `
    -serialNumber 0000000001 `
    -tokensCSV c:\pathTo\tokens.csv

You can find the script on my Github page, please leave a comment below or on Github if you have any questions or feedback.

Get the Script from Github

Written on November 4, 2020
Show Comments