| title | Create hardwareOathTokenAuthenticationMethodDevice |
|---|---|
| description | Create a new hardwareOathTokenAuthenticationMethodDevice object. |
| author | luc-msft |
| ms.localizationpriority | medium |
| ms.subservice | entra-sign-in |
| doc_type | apiPageType |
| ms.date | 07/02/2025 |
Namespace: microsoft.graph
[!INCLUDE beta-disclaimer]
Create a new hardwareOathTokenAuthenticationMethodDevice object. This API supports two scenarios:
- Create the new hardware token without assigning to a user. You can then assign to a user.
- Create and assign a hardware token to a user in the same request.
[!INCLUDE national-cloud-support]
Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
[!INCLUDE permissions-table]
Important
When using delegated permissions with work or school accounts, the signed-in user must have an appropriate Microsoft Entra role or a custom role with the necessary permissions. The least privileged built-in role required for this operation is Authentication Policy Administrator.
To create and assign a hardware OATH token to a user in a single request, the signed-in user must also have:
- The UserAuthenticationMethod.ReadWrite.All delegated permission.
- Either Authentication Administrator (least privileged role for assigning hardware tokens to nonadmin users) or Privileged Authentication Administrator (least privileged role for assigning hardware tokens to admin users) role.
POST /directory/authenticationMethodDevices/hardwareOathDevices| Name | Description |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| Content-Type | application/json. Required. |
In the request body, supply a JSON representation of the hardwareOathTokenAuthenticationMethodDevice object.
You can specify the following properties when creating a hardwareOathTokenAuthenticationMethodDevice.
| Property | Type | Description |
|---|---|---|
| serialNumber | String | Serial number of the specific hardware token, often found on the back of the device. Required. |
| manufacturer | String | Manufacturer name of the hardware token. Required. |
| model | String | Model name of the hardware token. Required. |
| secretKey | String | Secret key of the specific hardware token, provided by the vendor. Required. |
| timeIntervalInSeconds | Int32 | Refresh interval of the six-digit verification code, in seconds. The possible values are: 30 or 60. Required. |
| hashFunction | hardwareOathTokenHashFunction | Hash function of the hardware token. The possible values are: hmacsha1 or hmacsha256. Default value is: hmacsha1. Optional. |
| assignTo | identity | User ID if you want to directly assign the token to a user. Optional. |
| displayName | String | Name that can be provided to the Hardware OATH token. Optional. |
If successful, this method returns a 201 Created response code and a hardwareOathTokenAuthenticationMethodDevice object in the response body.
The following example shows a request.
POST https://graph.microsoft.com/beta/directory/authenticationMethodDevices/hardwareOathDevices
Content-Type: application/json
{
"displayName": "Token 1",
"serialNumber": "TOTP123456",
"manufacturer": "Contoso",
"model": "Hardware Token 1000",
"secretKey": "6PJ4UKIW33NNXYZAEHQNFUFTZF7WFTFB",
"timeIntervalInSeconds": 30,
"hashFunction": "hmacsha1"
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 201 Created
Content-Type: application/json
{
"@odata.type": "#microsoft.graph.hardwareOathTokenAuthenticationMethodDevice",
"id": "9b037532-f999-1ed9-13fd-849ffb995e11",
"displayName": "Token 1",
"serialNumber": "TOTP123456",
"manufacturer": "Contoso",
"model": "Hardware Token 1000",
"secretKey": null,
"timeIntervalInSeconds": 30,
"status": "available",
"lastUsedDateTime": null,
"assignedTo": null,
"hashFunction": "hmacsha1"
}The following example shows a request.
POST https://graph.microsoft.com/beta/directory/authenticationMethodDevices/hardwareOathDevices
Content-Type: application/json
{
"displayName": "Token 1",
"serialNumber": "TOTP123456",
"manufacturer": "Contoso",
"model": "Hardware Token 1000",
"secretKey": "6PJ4UKIW33NNXYZAEHQNFUFTZF7WFTFB",
"timeIntervalInSeconds": 30,
"hashFunction": "hmacsha1",
"assignTo": {
"id": "0cadbf92-####-####-####-############"
}
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 201 Created
Content-Type: application/json
{
"@odata.type": "#microsoft.graph.hardwareOathTokenAuthenticationMethodDevice",
"id": "9b037532-f999-1ed9-13fd-849ffb995e11",
"displayName": "Token 1",
"serialNumber": "TOTP123456",
"manufacturer": "Contoso",
"model": "Hardware Token 1000",
"secretKey": null,
"timeIntervalInSeconds": 30,
"status": "assigned",
"lastUsedDateTime": null,
"assignedTo": null,
"hashFunction": "hmacsha1",
"assignedTo": {
"id": "0cadbf92-####-####-####-############",
"displayName": "Amy Masters"
}
}