After couple of weeks spring version of Microsoft Ignite is in the calendar and a lot of new announcements (at least I believe so). In the beginning of this week I noticed a new Authentication method in Azure AD Portal called Temporary Access Pass. On Monday there wasn’t any documentation available, but now there is! I believe it is going to be launched officially in Ignite. But of course I could look it little bit out before that πŸ˜‰

What is Temporary Access Pass

Temporary Access Pass is a temporary access code for end user to authenticate without a multi-factor authentication (limited time only and once only if required). I have already couple of use cases for Temporary Access Pass:

  • Enrolling a mobile to Intune in single-app mode has been a problem since you can’t give a MFA with a mobile in single app mode. More info about these caveats from another post
  • If your company is already passwordless, you can sign in with a Temporary Access Pass for FIDO2 key registration!

Sounds perfect! πŸŽ‰

Configurations

You can enable the Temporary Access Pass for selected users or all users under authentications methods from Azure Portal.

Authentication methods in Azure AD

There are couple of settings to set up. I suggest to turn down lifetimes and turn on Require one-time use setting, to enable just temporary access for end-user.

Settings of temporary access pass

Creating a Temporary Access Pass

If you try to create a Temporary Access Pass for user under Azure AD portal you can’t find it from there. Instead of using https://portal.azure.com use https://preview.portal.azure.com. This will be in GA-portal surely later on.

Under user own authentication methods select add authentication method and as a method choose Temporary Access Pass (Preview). You can also select a delayed start time for example first time sign-in for a new user.

Creating a Temporary Access Pass

Settings that you can manage are related to the tenant-level settings that you set up already in Azure AD side. After selecting Add you see the pass that is provided for user.

Temporary Access Pass from portal

It looks You can complete this creation also over API, so feel free to integrate it to your own systems. πŸ˜‰

Just send a POST query with {} in body (or specify options to there) to https://graph.microsoft.com/beta/users/<user-principal-name-or-object-id>/authentication/temporaryAccessPassMethods

Temporary Access Pass from Graph API

You need UserAuthenticationMethod.ReadWrite.All permissions to complete this. Permissions described more in the documentation.

End-user side

How does it look and feel then?

You write your username to the login form and select Next. Now you see (if Temporary Access Pass is created and active for you) User your Temporary Access Pass instead. Select it.

Sign-in form

You enter the passcode now to the form and select Sign in.

Sign in with a Temporary Access Pass

And you are happily in without a MFA.

Logged in without MFA

If your time runs out or you selected Require one-time use in settings, you can’t see the Temporary Access Pass option any more in sign-in form.

Sign in form without as Temporary Access Pass

Conclusion

Many years I have waited this option. Now it is there. It is working and I am really really really happy πŸŽ‰


Markus Lintuala

I've been working in IT since 2009 in different roles mostly with solution architecture, service development, training and consultancy side. With Azure I started to work in 2013 and with Microsoft 365 related products in 2011. I like to work often with the newest technologies by testing, giving feedback and share the knowledge to people around me. Currently I'm working much in Azure side with governances, security and solution architectures and in Microsoft 365 side with E5 security solutions with strong zero trust aspect.

6 Comments

Anonymous · 11.03.2021 at 19.53

Very nice presentation !!!
two architectural point to clarify, though.

When the end-user is ready to register FIDO2 or WHfB, he has to collect the TAP from helpdesk or manager through any out-of-band mechanism, may be phone-call.
That means organization has to keep somebody standby to cater TAP to the end-users.

And secondly, how do I prove myself to my manager so that he remains confident that he is not giving away TAP to some rogue party ?

    Markus Lintuala · 31.03.2021 at 14.59

    Hi Anonymous πŸ˜€
    I’m glad that you asked about this. You can get the TAP from AAD with API’s without manual work. Another question is, how do you deliver it for the end user who asks it confidentially – through manager or something else?

    I think that the perfect solution for this would be that end user provides a personal authentication based on credential that is issued by national authorities to get the TAP. Many countries have already a way to provide an authentication digitally. Problem is that you have to have some kind of identifier on account that corresponds towards the national identifier and it is not a perfect either. Also every country has little bit different kind of the identification. In the future Verifiable Credentials could be something to investigate. Currently there is not a 100% full proof way to do it, but compared to current world, it’s same with passwords. When a person starts for example in a new workplace he or she will get the first password often from the manager.

mombu mombu · 05.04.2021 at 19.58

what AAD license P1 or P2 is required for TAP?

Life without passwords - Bloggerz.cloud · 25.10.2021 at 10.34

[…] Call to SD, authenticate and get Temporary Access Pass (TAP) valid for 8 hours. (Read more about TAP: The Magic of Temporary Access Pass – Bloggerz.cloud) […]

Leave a Reply

Avatar placeholder

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.