Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,194 questions
Azure AD "Software OATH token (Preview)" added to several accounts - not done by users.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 19%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKH%3C/text%3E%3C/svg%3E)
Kevin Hernandez
16
Reputation points
Hello All,
Starting to receive calls that users were trying to sign in to Office 365 and they cannot because MFA isn't working. The user states they are asked to give a code from the authenticator app to get access. Users all state that they never downloaded the authenticator app, nor did they register the app for MFA or SSPR. They cannot get pass this prompt.
Most users do not have any other methods listed other than the (Software OATH token (Preview) and they cannot access or get past it. So the helpdesk has to remove the Software OATH token (Preview) and then the user can get the prompt to register two valid methods and continue to access the app or resources they need.
Where did this "preview" method come from? Admins or Users didn't enable it. Is there a way to remove them all in bulk?
{count} votes
-
JamesTran-MSFT 36,861 Reputation points Microsoft Employee2023-01-11T00:30:57.677+00:00 @Kevin Hernandez Thank you for your post and I apologize for the delayed response!
My team is currently looking into your issue and will update as soon as possible.
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 64%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET3%3C/text%3E%3C/svg%3E)
ThomasVANDENBOSSCHE-3120 0 Reputation points2023-05-11T08:39:39.7566667+00:00 I just got the same issue, any update on this?
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 71%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECH%3C/text%3E%3C/svg%3E)
Chad Hooper 1 Reputation point2023-08-15T16:46:41.3366667+00:00 I just discovered this under one of my users' accounts after investigating some malicious emails originating from one of the users.
I've been struggling to determine how the hacker has been logging in as this MFA protected account, and I believe it is due to this 'Software OATH Token'. My guess is that they clicked on a malicious link which allowed the hacker to obtain username/password, and also install an additional authentication method for use by the hacker.Purely an assumption at the moment, but I can't see how else this hacker has managed to log into this MFA protected account on multiple occasions without needing access to the user's mobile phone.
It is now deleted, and hopefully means the account is protected again.
Sign in to comment
Sign in to answer