We’ve had to prepare to enrol a large number of physical hardware tokens into Microsoft MFA. Unfortunately Microsoft do not currently provide a way to do with their own PowerShell suite. The process of adding new tokens can be quite time consuming.
To overcome this I’ve written a PowerShell script that can be used to automate the process of importing and activating hardware TOPT tokens.
WARNING: This method uses undocumented Microsoft APIs and should be used with caution and considered unsupported.
How it Works
- Looks up the seed for a serial number from a CSV file (from your token provider)
- Uploads the token details and provided UPN to Azure MFA
- Waits for upload to finish
- Generates a TOPT token based off the tokens seed
- Actives the hardware token
- Azure Powershell Module:
Install-Module -Name Az -AllowClobber
- CSV file from token supplier in the Azure MFA hardware token format, see: Microsoft Documentation
upn,Serial Number,Secret Key,Time Interval,Manufacturer,Model
- Authenticate a PowerShell session using
- Invoke the PowerShell script as follows:
.\Add-AzureMfaToken.ps1 ` -upn email@example.com ` -serialNumber 0000000001 ` -tokensCSV c:\pathTo\tokens.csv
You can find the script on my Github page, please leave a comment below or on Github if you have any questions or feedback.