Jump to content

OTP with O365 Global Admin


Recommended Posts

I have received a request: 

"We MUST get all of our office365 admin accounts configured to require MFA.  I want to use OTP code from an app and store them in Passwordstate.

I need someone to create a secondary global admin account at a customer and figure out how to make this happen."


I have created the second global and enabled MFA for it as so:

  • Log in to the Office 365 admin portal and navigate to Users and then Active users. From the More menu, choose Setup Azure mult-factor auth.
  • Change the view to Global administrators to list the global admin accounts for your tenant. Check the box for the admin account that you are enabling MFA for, then click the Enable link.
  • After MFA has been enabled, the next time you log in to an Office 365 portal with the admin account you’ll be prompted to set up the additional authentication mechanism.
  • The options include a phone call, text message, or application-generated code. (chose Application-generated code). This generates a QR code that I took a screenshot of and saved the image as a jpg file, along with the secret key (see attached image for demo). (Not actually using phone so cannot actually finish here, but my understanding is that I only need to the QR image or Issuer with secret key).

The instructions I was able to find for Setting up OTP to use this code or key is to (1) build a shared password list based on OTP template (2) created a Password Record for logging into O365 for the new global account and configure the OTP at the bottom of the record by adding logon credentials


("Now you can configure the One-Time Password Authenticator.  You can do this via either a QR code provided by your Issuer, or by entering the Issuer details manually.  To enter a QR Code simply click on the icon of a QR code and either browse to the location of your QR Code by clicking on the select button, or, drag the QR Code over the Drop Image Here" -- Alternatively, you can add the details manually.  To do this you must provide both the Issuer and Secret as provided by your Issuer.  Make sure to cut and paste the Issuer and Secret into the correct fields;)


Pasting in the Issuer and secret worked insfar as it accepted my input (dropping the QR code image did not) and starts retrieving codes.


However when I paste this code into the MFA box when logging in, I keep getting:

We did not receive the expected response. Please try again.
Correlation ID: 68daf990-6a7a-4ab0-a093-659c89849d8d
Session ID: 2206bbea-146f-41bf-acef-722933ee27cc


I'm really unclear what to do from here or where I may have messed up the configurations. I feel I am so close. Can anyone assist?




Link to comment
Share on other sites

  • 2 weeks later...



I recognize the issue your having, and from what I remember last time I added an 365 Global Admin OTP I had to remove the spaces in the "Secret" for it to be accepted by PasswordState. Keep everything else as it is at 30 seconds, 6 digits and SHA1 and it should work. 


Best regards


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...