Using physical FortiTokens with Azure AD
Multi-Factor Authentication (MFA), something that we should all be doing more of, yet I don't see enough of it! Without going too far into why MFA is good, it's a very simple - yet effective - step we could all take to protect access to services/infrastructure/data/etc. in a much better fashion. I had a customer come to me asking if the FortiToken 200 could be used with Azure AD, they already had FortiGate and were using Azure AD as the SAML IdP, however they wanted to add 2FA.
My first question was "Well, if you're using Azure AD, you should be able to do Microsoft Authenticator at no additional cost, so why not do that?". My customer smiled - that smile of acknowledging the idea, but they tried that already - and said "We considered that idea, however use of an employee's personal device cannot be mandated, so we need an alternative in the event an employee doesn't want to load an app on their phone.", so with the challenge set, I decided to look into it.
You are in possession of the seed file in Azure format. If you don't know what this is, chances are you don't have it. You will need to reach out to your account team for them to obtain this for you - if you don't know your account team, ask your reseller to find out for you, this is crucial, you cannot add these to Azure AD without the seed file.
You have admin access to Azure AD - again, you cannot perform the tasks in this guide if you do not have administrator access to Azure AD
Now that we have the boring stuff out of the way, let's get started!
Importing the tokens into Azure AD
When you receive a CSV file in Azure format, it should be a Comma Separated Value (Comma Delimited, CSV) file - PROTECT THIS FILE AS IF IT WAS YOUR USER DATABASE, WILDCARD PRIVATE KEY, OR SOMETHING ELSE THAT COULD BE REALLY BAD IF IT GOT OUT. This should open in Microsoft Excel or Notepad for editing. To import the seed files into Azure AD, the values need to be set up in this manner:
upn,serial number,secret key,time interfval,manufacturer,model
Let's take a look at these values:
UPN: This is the User Principal Name of the user assigned to the token, in most cases it looks like firstname.lastname@example.org, you will need to provide this
Serial Number: This is the Serial Number of the hardware token, this is provided by Fortinet
Secret Key: This is a value that allows Azure to know how the numbers are generated on the FortiToken fob, I am sure it's much more complex than this. This is the "Explain Like I'm 5" version. This is provided by Fortinet
Time interval: this is how often the numbers refresh, this is provided by Fortinet
Manufacturer: this is provided by Fortinet in the seed file
Model: the model of the hard token, this is provided by Fortinet in the seed file
The CSV file I will use will look like this:
How it looks in a text editor:
Note: be sure to save this in .csv format.
To import into Azure AD:
Navigate to <Your domain>>Security>Multi-Factor Authentication > OATH tokens and click "upload"
Select the CSV file you prepared for user/token assignment
And click open
Note the Status, it should inform you if it's successful or failed, if it failed you will be provided with the option of downloading a file show which users failed and why, here's example of the output when I uploaded my "dummy" example above
On success you should see your listed users and what token they have assigned, like this:
Your final step is to activate the token by inputing the verification code for the respective token
This activates the token (by verifying the "secret key" is correct) and validates the token is working
Depending on your Azure AD subscription you can apply Conditional Access policies to enforce the use of MFA
Now that you've imported the token, activated it, and assigned MFA policies you can go forth and use it! Thank you for reading, I hope this helps.