Edit

Share via

Create hardwareOathTokenAuthenticationMethodDevice

Namespace: microsoft.graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Create a new hardwareOathTokenAuthenticationMethodDevice object. This API supports two scenarios:

  • Create the new hardware token without assigning to a user. You can then assign to a user.
  • Create and assign a hardware token to a user in the same request.

This API is available in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet

Permissions

Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

Permission type Least privileged permissions Higher privileged permissions
Delegated (work or school account) Policy.ReadWrite.AuthenticationMethod Not available.
Delegated (personal Microsoft account) Not supported. Not supported.
Application Policy.ReadWrite.AuthenticationMethod Not available.

Important

When using delegated permissions with work or school accounts, the signed-in user must have an appropriate Microsoft Entra role or a custom role with the necessary permissions. The least privileged built-in role required for this operation is Authentication Policy Administrator.

To create and assign a hardware OATH token to a user in a single request, the signed-in user must also have:

  • The UserAuthenticationMethod.ReadWrite.All delegated permission.
  • Either Authentication Administrator (least privileged role for assigning hardware tokens to nonadmin users) or Privileged Authentication Administrator (least privileged role for assigning hardware tokens to admin users) role.

HTTP request

POST /directory/authenticationMethodDevices/hardwareOathDevices

Request headers

Name Description
Authorization Bearer {token}. Required. Learn more about authentication and authorization.
Content-Type application/json. Required.

Request body

In the request body, supply a JSON representation of the hardwareOathTokenAuthenticationMethodDevice object.

You can specify the following properties when creating a hardwareOathTokenAuthenticationMethodDevice.

Property Type Description
serialNumber String Serial number of the specific hardware token, often found on the back of the device. Required.
manufacturer String Manufacturer name of the hardware token. Required.
model String Model name of the hardware token. Required.
secretKey String Secret key of the specific hardware token, provided by the vendor. Required.
timeIntervalInSeconds Int32 Refresh interval of the six-digit verification code, in seconds. The possible values are: 30 or 60. Required.
hashFunction hardwareOathTokenHashFunction Hash function of the hardware token. The possible values are: hmacsha1 or hmacsha256. Default value is: hmacsha1. Optional.
assignTo identity User ID if you want to directly assign the token to a user. Optional.
displayName String Name that can be provided to the Hardware OATH token. Optional.

Response

If successful, this method returns a 201 Created response code and a hardwareOathTokenAuthenticationMethodDevice object in the response body.

Examples

Example 1: Create a token without user assignment

Request

The following example shows a request.

POST https://graph.microsoft.com/beta/directory/authenticationMethodDevices/hardwareOathDevices
Content-Type: application/json

{
  "displayName": "Token 1",
  "serialNumber": "TOTP123456",
  "manufacturer": "Contoso",
  "model": "Hardware Token 1000",
  "secretKey": "6PJ4UKIW33NNXYZAEHQNFUFTZF7WFTFB",
  "timeIntervalInSeconds": 30,
  "hashFunction": "hmacsha1"
}

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 201 Created
Content-Type: application/json

{
  "@odata.type": "#microsoft.graph.hardwareOathTokenAuthenticationMethodDevice",
  "id": "9b037532-f999-1ed9-13fd-849ffb995e11",
  "displayName": "Token 1",
  "serialNumber": "TOTP123456",
  "manufacturer": "Contoso",
  "model": "Hardware Token 1000",
  "secretKey": null,
  "timeIntervalInSeconds": 30,
  "status": "available",
  "lastUsedDateTime": null,
  "assignedTo": null,
  "hashFunction": "hmacsha1"
}

Example 2: Create a token and assign it to a user

Request

The following example shows a request.

POST https://graph.microsoft.com/beta/directory/authenticationMethodDevices/hardwareOathDevices
Content-Type: application/json

{
  "displayName": "Token 1",
  "serialNumber": "TOTP123456",
  "manufacturer": "Contoso",
  "model": "Hardware Token 1000",
  "secretKey": "6PJ4UKIW33NNXYZAEHQNFUFTZF7WFTFB",
  "timeIntervalInSeconds": 30,
  "hashFunction": "hmacsha1",
  "assignTo": {
    "id": "0cadbf92-####-####-####-############"
    }
}

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 201 Created
Content-Type: application/json

{
  "@odata.type": "#microsoft.graph.hardwareOathTokenAuthenticationMethodDevice",
  "id": "9b037532-f999-1ed9-13fd-849ffb995e11",
  "displayName": "Token 1",
  "serialNumber": "TOTP123456",
  "manufacturer": "Contoso",
  "model": "Hardware Token 1000",
  "secretKey": null,
  "timeIntervalInSeconds": 30,
  "status": "assigned",
  "lastUsedDateTime": null,
  "assignedTo": null,
  "hashFunction": "hmacsha1",
  "assignedTo": {
    "id": "0cadbf92-####-####-####-############",
    "displayName": "Amy Masters"
    }
}