A recent update to Microsoft Entra ID now allows end-users to self-service hardware OATH tokens, removing the need for administrators to manually activate them. Admins can upload hardware tokens into a "public repository" via Graph API, allowing users to assign tokens to their accounts through the "My Security Info" page.

Users simply enter the token's serial number and a 6-digit OTP from the hardware token to activate it. In addition, this improvement introduces support for SHA256 hashes for hardware tokens, enhancing security by providing a more secure hashing algorithm for token validation (which means our C203 can now be used with Entra ID). One more piece of good news is that there is no need to import the tokens using a global administrator account; a properly delegated Graph API permission is enough to perform the operation. Please note that a P1 or P2 premium license is still required for this feature.

We will publish a detailed guide on how to use this new feature soon.