No.
Basically you import Token Seed records into the AM Primary, each having a Serial #, and you assign these tokens to Users - who can either be manually created in the Internal DB (or migrated to the internal DB from a pre-AM 8 version e.g. AM 7.1 SP4 or AM 6.1.2 (up to 6.1.5), or these users could exist in an external LDAP Identity Source such as Active Directory.
The only 'automatic' thing here in AM, if a User who has a token assigned is deleted from AD, then you run an Identity Source Clean-up job (either Now or Scheduled), that user's assigned token will be unassigned and placed back in the available list of tokens.
Expired tokens remain in the database until deleted, either through Security Console (500 max at a time) or in bulk with AMBA or some Admin API tool like AMIS or custom developed Admin Apps.
