After couple of weeks spring version of Microsoft Ignite is in the calendar and a lot of new announcements (at least I believe so). In the beginning of this week I noticed a new Authentication method in Azure AD Portal called Temporary Access Pass. On Monday there wasn’t any documentation available, but now there is! I believe it is going to be launched officially in Ignite. But of course I could look it little bit out before that πŸ˜‰

What is Temporary Access Pass

Temporary Access Pass is a temporary access code for end user to authenticate without a multi-factor authentication (limited time only and once only if required). I have already couple of use cases for Temporary Access Pass:

  • Enrolling a mobile to Intune in single-app mode has been a problem since you can’t give a MFA with a mobile in single app mode. More info about these caveats from another post
  • If your company is already passwordless, you can sign in with a Temporary Access Pass for FIDO2 key registration!

Sounds perfect! πŸŽ‰

Configurations

You can enable the Temporary Access Pass for selected users or all users under authentications methods from Azure Portal.

Authentication methods in Azure AD

There are couple of settings to set up. I suggest to turn down lifetimes and turn on Require one-time use setting, to enable just temporary access for end-user.

Settings of temporary access pass

Creating a Temporary Access Pass

If you try to create a Temporary Access Pass for user under Azure AD portal you can’t find it from there. Instead of using https://portal.azure.com use https://preview.portal.azure.com. This will be in GA-portal surely later on.

Under user own authentication methods select add authentication method and as a method choose Temporary Access Pass (Preview). You can also select a delayed start time for example first time sign-in for a new user.

Creating a Temporary Access Pass

Settings that you can manage are related to the tenant-level settings that you set up already in Azure AD side. After selecting Add you see the pass that is provided for user.

Temporary Access Pass from portal

It looks You can complete this creation also over API, so feel free to integrate it to your own systems. πŸ˜‰

Just send a POST query with {} in body (or specify options to there) to https://graph.microsoft.com/beta/users/<user-principal-name-or-object-id>/authentication/temporaryAccessPassMethods

Temporary Access Pass from Graph API

You need UserAuthenticationMethod.ReadWrite.All permissions to complete this. Permissions described more in the documentation.

End-user side

How does it look and feel then?

You write your username to the login form and select Next. Now you see (if Temporary Access Pass is created and active for you) User your Temporary Access Pass instead. Select it.

Sign-in form

You enter the passcode now to the form and select Sign in.

Sign in with a Temporary Access Pass

And you are happily in without a MFA.

Logged in without MFA

If your time runs out or you selected Require one-time use in settings, you can’t see the Temporary Access Pass option any more in sign-in form.

Sign in form without as Temporary Access Pass

Conclusion

Many years I have waited this option. Now it is there. It is working and I am really really really happy πŸŽ‰


Markus Lintuala

I've been working in IT since 2009 in different roles mostly with solution architecture, service development, training and consultancy side. With Azure I started to work in 2013 and with Microsoft 365 related products in 2011. I like to work often with the newest technologies by testing, giving feedback and share the knowledge to people around me. Currently I'm working much in Azure side with governances, security and solution architectures and in Microsoft 365 side with E5 security solutions with strong zero trust aspect.

0 Comments

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.