Temporary Access Pass in Microsoft Azure AD: A Guide to the Configuration
November 9, 2021
Microsoft Azure Active Directory, or AD in short, allows you to sign in without the need of a password. This passwordless authentication method works in two ways:
– through the use of existing Azure AD Multi-Factor Authentication methods
– through a Temporary Access Pass (TAP)
Want to know more about the latter? Since you clicked on this article, I guess you do, so keep on reading if you want to find out how to configure a Temporary Access Pass in Azure AD!
What is a Temporary Access Pass?
First and foremost, let’s see what a TAP is, exactly: it is essentially time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones. A Temporary Access Pass also makes recovery easier in case you lost or forgot your FIDO2 security key or Microsoft Authenticator app.
With that said, let’s get into how to set up a TAP using the Azure portal!
Step 1: enable TAP authentication method policy for users and groups
In order to let other users and groups use a TAP to sign-in, you – as a Global admin and Authentication Method Policy admin role holder – will need to enable the authentication method policy and choose which users and groups will sign in with the TAP. Only users included in the policy can sign-in with it.
Now, here’s how to set up the TAP authentication method policy:
– sign in to the Azure portal as a Global admin and click Azure Active Directory > Security > Authentication methods > Temporary Access Pass
– then click Yes to enable the policy, select which users have the policy applied, and any General settings (Minimum lifetime > 1 hour; Maximum lifetime > 1 day; Default lifetime > 1 hour; One-time > No; Length > 12 characters)
Step 2: create a TAP for a user in Azure AD
Follow the steps below to set up a Temporary Access Pass:
– sign in to Azure as either a Global administrator, Privileged Authentication administrator, or Authentication administrator
– click Azure Active Directory, browse to Users, select a user and choose Authentication methods
– if needed, select the option “Try the new user authentication methods experience”
– then select the option “Add authentication methods”
– now, below Choose method, click Temporary Access Pass (Preview)
– define a custom activation time or duration and click Add
Once added, the details of the Temporary Access Pass are shown. Make a note of the actual Temporary Access Pass value, because you’ll need to provide this value to the user, and you won’t be able to view it anymore after clicking Ok.
Here are the commands for creating a Temporary Access Pass by using PowerShell:
Step 3: sign in with a TAP
Lastly, let’s check out how users can utilize their TAP to sign in.
Note that generally users can register authentication details during the first sign-in, without the need to complete additional security prompts. Authentication methods are registered at https://aka.ms/mysecurityinfo. Here users can also update existing authentication methods.
– Access https://aka.ms/mysecurityinfo from your browser
– enter the UPN of the account you created the Temporary Access Pass for
– if the user is included in the Temporary Access Pass policy, they’ll see a screen to enter their Temporary Access Pass
– now enter the Temporary Access Pass that was displayed in the Azure portal
That’s it: the user is now signed in and can update or register a method, such as FIDO2 security key. If the user loses their credentials or device, it’s recommended that they remove their old authentication methods. Also, users can keep signing in by using their password; a TAP doesn’t replace a user’s password, after all.
Source: Microsoft Docs
