Transfer SecurID 700 Hardware Token Ownership to Cloud Authentication Service
You can transfer ownership and administration of assigned and unassigned SecurID 700 hardware tokens from RSA Authentication Manager to Cloud Authentication Service (CAS). You select which token records are transferred, and you initiate the transfer. After the token records are transferred to the cloud, AM no longer manages the tokens and can not take back ownership.
Note: A connection through an embedded or external identity router does not support this integration. For more information, see Connect RSA Authentication Manager to the Cloud Access Service.
For more information, see the following:
Token Eligibility for Transfer
The following SecurID 700 hardware tokens are eligible for transfer:
Assigned hardware tokens that are enabled.
Unassigned hardware tokens that are enabled or disabled.
By default, unassigned hardware tokens are disabled in AM.
Ineligible tokens are logged as "ignored" by AM or "failed" by CAS. The following table lists the tokens that cannot be transferred.
| Not Transferred by AM (Ignored) | Not Accepted by Cloud Authentication Service (Failed) | |
|---|---|---|
| Not a SecurID 700 hardware token. | X | |
| Lost token. | X | |
Assigned token that is disabled. | X | |
| Token that is being replaced or a replacement token. | X | |
| Expired token. | X | |
| Token that does not require a PIN. | X | |
| User record is pending deletion in CAS. | X | |
| Token is assigned to a user who has different e-mail addresses in AM and CAS. | X | |
| Token assigned to a user who is in the AM internal database and not present in CAS. | X | |
| Token assigned to a user who is disabled in the identity source and does not exist in CAS. | X |
What to Expect
When you transfer SecurID 700 hardware tokens from RSA Authentication Manager to CAS, expect the following:
After the ownership is transferred, all policies and configurations from CAS will be applied for cloud authentication. CAS will perform the tokencode validation.
For transferred or Cloud owned SecurID 700 tokens,
When CAS or the connection from AM to CAS is unavailable, AM can validate Authenticate Tokencode locally by using downloaded High Availability (HA) Tokencode data if HA Tokencode is enabled. In addition, Cloud Managed SecurID 700 token records will also be available in AM as they are synchronized from CAS to AM by default, so SecurID 700 tokencodes can be validated locally when data for the user is available, regardless of whether HA Tokencode is enabled.
PINs for transferred tokens follow the PIN policies for CAS. Existing PINs for transferred tokens can be used to authenticate.
Alphanumeric PINs are case-sensitive in CAS. AM PINs are not case-sensitive, for example, AXD72rc and axd72rc are considered the same PIN. CAS only accepts the case used when the PIN was created, for example, AXD72rc.
AM supports token attribute definitions that store information not contained in the standard set of token attributes. CAS does not support these optional attributes. Token attribute are removed when tokens are transferred to CAS.
Any changes to tokens that occur during the ownership transfer are not retained, except for security domain updates. For example, do not update the PIN or create an emergency access tokencode for a token that is being transferred.
Offline authentication is supported by MFA agents only in cloud direct or proxy mode for transferred or Cloud-owned tokens.
After transfer, SecurID 700 tokens managed by CAS remain available for authentication with applications protected by AM, including those using Agents connecting directly to AM without routing through the Cloud, and including agent authentications such as RADIUS.
AM forwards authentication requests for Cloud-managed SID700 tokens to CAS for validation. These authentication events can be monitored in the Cloud User Event Monitor.
SecurID 700 tokens that are uploaded directly to the Cloud (not transferred from AM) are synchronized back to AM through the Cloud synchronization job, making them available for authentication in AM protected applications.
Transfer of token ownership from AM to CAS is supported for internal database users synchronized with CAS.
Transfer Tokens to CAS
Before you begin
You must have an existing connection between AM and CAS.
Transferring SecurID 700 Hardware Token Ownership to CAS requires Authentication Manager version 8.7 or above.
You must be a Super Admin.
Procedure
In the Security Console, click Authentication > SecurID Tokens > Manage Existing.
Click the Assigned and Unassigned tabs to alternately view assigned and unassigned tokens respectively.
Use the search fields to find the token that you want to transfer.
Do the following:
To transfer multiple tokens:
Select the checkboxes next to the tokens that you want to transfer.
From the Action menu, select Transfer Ownership to Cloud.
To transfer one token:
Click the token.
From the context menu, select Transfer Ownership to Cloud.
Click OK to transfer the tokens.
You can view or cancel the batch job that transfers the tokens. See View Transfer Tokens to Cloud Jobs.
After the transfer is complete, you can view the details by running the Administrator Activity report and selecting the activity key "Transfer Token Ownership To Cloud."
View Transfer Tokens to Cloud Jobs
Transfer tokens to cloud jobs are created when an administrator transfers the ownership and administration of SecurID 700 hardware tokens from RSA Authentication Manager to CAS.
These jobs are manually scheduled tasks that run on demand for RSA Authentication Manager. You can view jobs that are in progress and that have been completed.
Before you begin
You must be a Super Admin.
Procedure
To view details of a job in progress, do the following:
In the Security Console, click Authentication > SecurID Tokens > Transfer Tokens to Cloud Job..
Click the In Progress tab.
To view details of a completed job, do the following:
Click Authentication > SecurID Tokens > Transfer Tokens to Cloud Job.
Click the Completed tab.
Click the job that you want to view.
From the context menu, click View Job Summary.
The View job summary page contains information about the number of tokens successfully transferred, ignored, and failed. The token transfer job ignores tokens that are disabled tokens, replacement tokens, and tokens that are being replaced. Communications issues might cause a token to fail to transfer. Check your log files for more details.
Cancel a Transfer Tokens to Cloud Job
You can cancel a transfer tokens to cloud job with the status In Queue or In Progress.
When you cancel a job that is in progress, CAS manages tokens that were already transferred. The transferred tokens exist in both CAS and Authentication Manager until the next time that token records are synchronized.
Before you begin
You must be a Super Admin.
Procedure
In the Security Console, click Authentication > SecurID Tokens > Transfer Tokens to Cloud Job.
Click the batch job that you want to cancel, and select Cancel Job.
Click OK to verify that you want to cancel the job.
Related Articles
Registering RSA SID 700 hardware tokens in Microsoft Entra ID Number of Views RSA Hardware Authenticators Number of Views Cloud Administration Delete Hardware Token API Number of Views Configure Shipping Addresses for Hardware Authenticators Number of Views CyberArk Authentication fails when using hardware tokens Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
