Set up tokens for offline MFA for domain users

While you can use Microsoft Entra to authenticate users in computer MFA login, for downloading offline tokens, you need the DualShield MFA server or the SafeID Token Service (STS). There are 2 typical setups:

Setup 1:

• Configure the Computer MFA Logon Agent to use Microsoft Entra as the MFA service
• Configure the Microsoft Entra to use DualShield or STS as the MFA service via EMA (External Authentication Method)
• Configure the Computer MFA Logon Agent to download offline tokens from DualShield or STS

Setup 2:

• Configure the Computer MFA Logon Agent to use DualShield or STS as the MFA service
• Configure the Computer MFA Logon Agent to download offline tokens from DualShield or STS

If you prefer to use the Entra Conditional Access Policy for controlling access etc, then Setup 1 is recommended over Setup 2 

When users sign in to computers using their Entra ID domain accounts, their tokens will be automatically downloaded to the computers. 

First, log in to the PC while the PC is online, using the user's domain account

Launch a web browser, and navigate to the user console at http://localhost:12845/localTokens 

Click the "CREATE TOKEN" button

Enter a name for your token, such as your user name

Click the "SAVE" button to save the token

Now, you need to install the token on to your mobile phone

Click the context menu icon of the newly created token, and select "QR Code" from the menu

You can use your TOTP authenticator app, such as Microsoft Authenticator or SafeID Authenticator, to scan the QR code.

After the token has been installed on to your phone, you should test it.

Click the context menu of the token again, and select "Test"