Both Azure MFA on-premises server and cloud service now support hardware tokens using time-based one time passcodes (OATH TOTP). Deepnet SafePass is a USB key that supports both FIDO and OATH OTP. It can be configured to generate time-based OTP, and used with Azure MFA.

First, administrators need to seed SafePass USB keys with TOTP tokens, then upload the token seeds onto the Azure MFA server. As the SafePass USB key does not have the display function, user will use the SafePass application to display OTP generated by the SafePass USB key.

Seeding SafePass USB Keys

Uploading Seed File to Azure MFA

In the Admin Tool folder, you will see a file named "tseed.csv"

SafeKey > How to use Deepnet SafePass with Azure MFA and Office 365 > image2019-6-18_1-9-37.png

This is the seed file in the format required by the Azure MFA cloud service.

SafeKey > How to use Deepnet SafePass with Azure MFA and Office 365 > image2019-6-18_1-12-6.png

This file can be directly uploaded onto the Azure MFA cloud service.

Now, sign in to the Azure portal and navigate to Azure Active Directory, MFA Server, OATH tokens

SafeKey > How to use Deepnet SafePass with Azure MFA and Office 365 > oath-tokens-azure-ad.png

Select "Upload" to upload the CSV file.

Depending on the size of the CSV file, it may take a few minutes to process. Click the Refresh button to get the current status. If there are any errors in the file, you will have the option to download a CSV file listing any errors for you to resolve.

Once any errors have been addressed, the administrator then can activate each key by clicking Activate for the token to be activated and entering the OTP displayed on the token.

Generating OTP

To generate OTPs, the user will need to run the SafePass application.

Seeding SafePass USB Keys

Uploading Seed File to Azure MFA

Generating OTP

Related Articles