To access the Graph Explorer, visit: https://developer.microsoft.com/en-us/graph/graph-explorer

Sign in using your Entra account

Change the HTTP method from "GET" to "PATCH", and change the endpoint to "https://graph.microsoft.com/beta/directory/authenticationMethodDevices/hardwareOathDevices"

Now, click the "Modify Permissions" to check if you have the "Policy.ReadWrite.AuthenticationMethod" permission

Click "Open the permissions panel" link

If you have not been granted the consent for the "Policy.ReadWrite.AuthenticationMethod" permission, then you need to admin the global administrator to grant the consent to use the Graph API.

Option 1 – Through Graph Explorer (Admin Account)

  1. Have a Global Administrator or Privileged Role Administrator sign in to Graph Explorer.

  2. In the Permissions tab, find Policy.ReadWrite.AuthenticationMethod.

  3. Instead of “Consent on behalf of yourself,” the admin will see an option to Consent on behalf of the entire organization.

  4. Click Consent → approve.

Option 2 – Through Azure Portal (Enterprise Applications)

  1. Go to Azure PortalAzure Active DirectoryEnterprise Applications.

  2. Find Graph Explorer (it’s registered as an Enterprise Application in your tenant).

  3. Under PermissionsAdmin Consent, the admin can review pending permissions.

  4. Grant consent for Policy.ReadWrite.AuthenticationMethod on behalf of the organization.


Click the "Request body" tab

Open the JSON file in a text editor, copy all the contents, and paste the data into the Request body 

Click the Run query button.

If you see "OK - 200 - ...", then the tokens have been successfully uploaded into the Token Resposiroty in your Entra ID tenant.

To check your Token Repository in Entra ID, you must also use the Graph API.

You can now give the tokens to your users and ask them to self-enroll their tokens in Entra ID