Azure AD Basic (Free)
If you do not have Azure AD Premium license, then your users can use the programmable hardware tokens below to replace the Microsoft Authenticator app.
How it Works
Every one-time password (OTP) token generates different and unique numbers, that is because every token contains a unique piece of code called secret or seed. Azure MFA for Office 365 generates the user’s secret and provides it as a QR code. Using a programming tool, the user’s secret can be programmed into a programmable hardware token by scanning the QR code. This process is exactly the same as that the user’s secret is installed into the Microsoft Authenticator or Google Authenticator app.
You can program hardware tokens using a Windows PC or laptop with a NFC Smart Card Reader, Android phone with NFC function, or iPhone with NFC function.
Once a hardware token is programmed, it works on its own. It doesn't connect to your phone or the internet in order to generate one-time passwords.