Using the Graph API to enroll hardware tokens is a newly introduced feature in Entra ID. Currently, you can use the Graph API to upload tokens into Entra ID, but there is no UI in the Entra Admin Portal for administrators or the help desk team to manage those tokens. Those tokens can only be self-enrolled by the users.
If you need a system that allows administrators or the help desk team to enroll and manage tokens, as well as allows your users to self-enroll their tokens, then check out the SafeID Token Service.
To enroll hardware tokens into Entra ID using the Graph API, follow the steps below.
Step 1: Get the JSON file of the hardware tokens
| Expand | ||||||
|---|---|---|---|---|---|---|
|
Step 2: Upload hardware tokens using the Graph Explorer
| Expand | ||||||
|---|---|---|---|---|---|---|
|
Step 3: Check the token repository using Graph API
Optionally, you might want to check the token repository to make sure that the tokens have been successfully uploaded into Entra ID
To access the Graph Explorer, visit: https://developer.microsoft.com/en-us/graph/graph-explorer
Sign in using your Entra account
Change the HTTP method from "GET" to "PATCH", and change the endpoint to "https://graph.microsoft.com/beta/directory/authenticationMethodDevices/hardwareOathDevices"
Click the "Modify Permissions"
Grant consent for the "Policy.ReadWrite.AuthenticationMethod" permission
Click the "Request body" tab
Open the JSON file in a text editor, copy all the contents, and paste the data into the Request body
Click the Run query button.
If you see "OK - 200 - ...", then the tokens have been successfully uploaded into the Token Resposiroty in your Entra ID tenant.
To check your Token Repository in Entra ID, you must also use the Graph API.
| Expand | ||||||
|---|---|---|---|---|---|---|
|
Step 4: Self-Enroll hardware tokens into Entra ID
You can now give the tokens to your users and ask them to self-enroll their tokens in Entra ID
...