With NFC tokens, the provisioning is done by the IT person equipped with software and hardware that allows burning seeds onto programmable hardware tokens (i.e. an Android device with NFC, iPhone 8 or newer for “-i” models etc.). . However, we have many customers asking if this process can be done by end-users in a fully autonomous manner.
The answer is that, in theory, yes as your end-users can burn the NFC tokens themselves as no special admin access is needed (the provisioning needs to be done on behalf of the end-users). However, in most cases the main requirement for this, namely, having an NFC-equipped device to run the NFC burner on, is not met as the main scenario of using hardware tokens is when users have no smartphones at all (otherwise they would have used a mobile authenticator for enabling MFA). In this context, a solution we can recommend is using one of our USB-programmable tokens that do not require any additional hardware to be provisioned. The only 2 things needed to provision a USB hardware token are the token itself plugged to a computer running Windows using the USB cable (supplied) and the USB Config tool. This guide shows the process of provisioning a USB-programmable hardware token with Office 365 MFA on behalf of the regular user with no admin privileges.