We’ve had to prepare to enrol a large number of physical hardware tokens into Microsoft MFA. Unfortunately Microsoft do not currently provide a way to do with their own PowerShell suite. The process of adding new tokens can be quite time consuming.
To overcome this I’ve written a PowerShell script that can be used to automate the process of importing and activating hardware TOPT tokens.
WARNING: This method uses undocumented Microsoft APIs and should be used with caution and considered unsupported.
How it Works
- Looks up the seed for a serial number from a CSV file (from your token provider)
- Uploads the token details and provided UPN to Azure MFA
- Waits for upload to finish
- Generates a TOPT token based off the tokens seed
- Actives the hardware token
Pre-Requisite:
- Azure Powershell Module:
Install-Module -Name Az -AllowClobber - CSV file from token supplier in the Azure MFA hardware token format, see: Microsoft Documentation
CSV Header:
upn,Serial Number,Secret Key,Time Interval,Manufacturer,Model
Usage
- Authenticate a PowerShell session using
Connect-AzAccount. - Invoke the PowerShell script as follows:
.\Add-AzureMfaToken.ps1 `
-upn email.address@domain.com `
-serialNumber 0000000001 `
-tokensCSV c:\pathTo\tokens.csv
You can find the script on my Github page, please leave a comment below or on Github if you have any questions or feedback.