You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »



To access the Graph Explorer, visit: https://developer.microsoft.com/en-us/graph/graph-explorer

Sign in using your Entra account

Change the HTTP method from "GET" to "PATCH", and change the endpoint to "https://graph.microsoft.com/beta/directory/authenticationMethodDevices/hardwareOathDevices"

Now, click the "Modify Permissions" to check if you have the "Policy.ReadWrite.AuthenticationMethod" permission

Click "Open the permissions panel" link

If you have not been granted the consent for the "Policy.ReadWrite.AuthenticationMethod" permission, then you need to admin the global administrator to grant the consent to use the Graph API.

Option 1 – Through Graph Explorer (Admin Account)

  1. Have a Global Administrator or Privileged Role Administrator sign in to Graph Explorer.

  2. In the Permissions tab, find Policy.ReadWrite.AuthenticationMethod.

  3. Instead of “Consent on behalf of yourself,” the admin will see an option to Consent on behalf of the entire organization.

  4. Click Consent → approve.

Option 2 – Through Azure Portal (Enterprise Applications)

  1. Go to Azure PortalAzure Active DirectoryEnterprise Applications.

  2. Find Graph Explorer (it’s registered as an Enterprise Application in your tenant).

  3. Under PermissionsAdmin Consent, the admin can review pending permissions.

  4. Grant consent for Policy.ReadWrite.AuthenticationMethod on behalf of the organization.

If you have the the consent for the "Policy.ReadWrite.AuthenticationMethod" permission, then you can continue.

Click the "Request body" tab

Open the JSON file in a text editor, copy all the contents, and paste the data into the Request body 

Click the Run query button.

If you see "OK - 200 - ...", then the tokens have been successfully uploaded into the Token Repository in your Entra ID tenant.

To check your Token Repository in Entra ID, you must also use the Graph API.

To check your Token Repository in Entra ID, you must also use the Graph API.

In the Graph Explorer, set the HTTP method to "GET", and set the endpoint URL to: https://graph.microsoft.com/beta/directory/authenticationMethodDevices/hardwareOathDevices

Click "Run Query"

You can scroll down to find the tokens that you have just uploaded, e.g. "serialNumber": "70029370",



You can now give the tokens to your users and ask them to self-enroll their tokens in Entra ID

For users to self-enroll their tokens, sign in: https://mysignins.microsoft.com

Navigate to: Security Info

Click "Add sign-in method"

Select the "Hardware token" method from the available options.

The user will be prompted to enter the serial number of the hardware token.

Enter the token's serial number, e.g. 70029370

Click "Next"

The user is now prompted to enter the name of the hardware token.

Enter the token's name, e.g. SafeID/Enterprise

Click "Next"

The user is now prompted to enter a verification code generated from the hardware token.

Enter the code generated from the hardware token, e.g. 077400

Click "Next"

If the code entered is correct, the hardware token has been successfully added to the user's account.

Click "Done"

The hardware token is now ready to be used for verifying the user at the next login.





  • No labels