Go fully passwordless with the new Azure AD Temporary Access Pass feature
The new Azure AD Temporary Access Pass preview feature is available in the tenant. With the new preview feature, it is possible to configure a temporary Access Password. The main goal to go to full passwordless without any configured password in the tenant.
The feature is available with a public preview feature. Let’s take a look at the new feature.
What is the new Temporary Access Pass feature?
Temporary Access Pass is a new way for creating and onboarding new users with a kind of temporary password for the user. With a Temporary Access Pass it is possible to enroll passwordless authentication and enroll MFA, SSPR, Windows Hello methods.
With the Temporary Access Pass feature a temporary password will be setting up for the users with expiration time. Yes correct, the Temporary Access Pass will expire.
Passwordless authentication methods, such as FIDO2 and Passwordless Phone Sign-in through the Microsoft Authenticator app, enable users to sign in securely without a password. Before the Azure AD Temporary Access Pass feature enrollment of new and resetting current passwordless authentication methods was not the most user-friendly part.
TAP is a time-limited passcode issued by an admin and can be used for the onboarding of other password-less authentication methods. The main reason; TAP makes the recovery easier when a user lost or forgotten their strong Passwordless authentication. The feature is a good start for a fully password-less environment in the feature and stops the usage of permanent passwords inside the environment.
TAP also makes recovery easier when a user has lost or forgotten their strong authentication factor like a FIDO2 security key or Microsoft Authenticator app, but needs to sign in to register new strong authentication methods.
Enable the feature
For the enablement, a Temporary Access Pass policy is needed and defines the settings for the lifetime of the created passed in the tenant, or selected groups who can use a TAP to sign-in.
For the requirement, it is good to know you need to enable the authentication method policy and choose the selected users and groups for the scope who can use and sign-in with the TAP authentication.
For enabling the authentication method:
- Sign in to the Azure portal as a Global admin or Auhentication admin and click Azure Active Directory > Security > Authentication methods > Temporary Access Pass.
- Enable the Temporary Access Pass Policy and select the scoped users.
- Now select the target user scope or select All users.
Under general inside the authentication method screen it is possible to define the TAP settings for the selected user scope. The following configurations are available for the configuration: See Microsoft doc for the available and default settings.
- Minimum lifetime: Minimum number of minutes that the TAP is valid.
- Maximum lifetime: Maximum number of minutes that the TAP is valid
- Default lifetime: Default values can be overridden by the individual passes, within the minimum and maximum lifetime configured by the policy
- One-time use: When the policy is set to false, passes in the tenant can be used either once or more than once during its validity (maximum lifetime). By enforcing one-time use in the TAP policy, all passes created in the tenant will be created as one-time use.
- Length: Defines the length of the passcode.
- Minimum lifetime: 1 hour
- Maximum lifetime: 24 hours
- Default lifetime: 1 hour
- One-time use: False
- Length: 8
- Minimum lifetime: 10-43200 Minutes
- Maximum lifetime: 10-43200 Minutes
- Default lifetime: 10-43200 Minutes
- One-time use: True/False
- Length: 8-48 characters
Configure the TAP
After the enablement of a TAP policy, it is possible to create a TAP for a user in Azure AD. At the moment the following roles can perform actions related to the TAP feature.
- Global administrator can create, delete, view TAP on any user (except themselves)
- Privileged Authentication administrators can create, delete, view TAP on admins and members (except themselves)
- Authentication administrators can create, delete, view TAP on members (except themselves)
- Global Administrator can view the TAP details on the user (without reading the code itself).
The creation of a TAP is possible in the following way from an admin view: Note: for now use; https://preview.portal.azure.com/
- Sign in to the Azure portal and click Azure Active Directory > Users > Select Users > Choose Authentication methods
- Select the option Add authentication methods
- In the selection menu: Choose method select Temporary Acces Pass (Preview) and click Add. If configured you have the option to specify settings and override the default.
- Once added; the details of the Temporary Access Pass are visible. After closing the window, it is not possible to show the value again.
Use a TAP
The most common use for a TAP in a passwordless environment is to directly register authentication details during the first sign-in, without the need to complete the additional security configuration.
- For this part go to the https://aka.ms/mysecurityinfo
- Sign in with the UPN and the TAP
- In the Enter Temporary Access Pass screen enter the TAP
Now the user is signed in and has the options to register a passwordless authentication device ( for example FIDO2). In the case of a losing device, make sure the user removes the old devices. With the TAP is it also possible to register for passwordless Phone sign-in from the Authentication app. With the authenticator app you can adopt the further usage of the passwordless options.
For extra security, it is good to secure the authentication method/ security info page and define trusted locations if specific for internal usage only.
Note: When using a one-time TAP to register Passwordless methods such as FIDO2 or Authenticator Phone sign-in, the user must complete the registration within 10 minutes of sign-in with the one-time TAP. This is currently a limitation by design.
When Seamless SSO is enabled on the tenant, the users are prompted to enter a password. The Use your Temporary Access Pass instead link will be available for the user to sign-in with TAP.
Wrap things up & Feedback
The feature is for a fully passwordless environment great and gives options to remove permanent passwords if the environment is modern-based.
Only it would be great if the TAP is only available for setting up a strong factor and not give access to corporate apps in the environment. The main goal for TAP is setting up a strong factor without any lifetime password and not viewing other apps and data inside the environment.