Table of Contents
What is Azure Temporary Access Pass?
Passwordless authentication methods, such as FIDO2 and Passwordless Phone Sign-in through the Microsoft Authenticator app, enable users to sign in securely without a password. Users can bootstrap Passwordless methods in one of two ways:
- Using existing Azure AD Multi-Factor Authentication methods
- Using a Temporary Access Pass (TAP)
A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones. A Temporary Access Pass also makes recovery easier when a user has lost or forgotten their strong authentication factor like a FIDO2 security key or Microsoft Authenticator app, but needs to sign in to register new strong authentication methods.
Lifetime for the password
The default value and the range of allowed values are described in the following table.
| Setting | Default values | Allowed values | Comments |
|---|---|---|---|
| Minimum lifetime | 1 hour | 10 – 43200 Minutes (30 days) | Minimum number of minutes that the Temporary Access Pass is valid. |
| Maximum lifetime | 24 hours | 10 – 43200 Minutes (30 days) | Maximum number of minutes that the Temporary Access Pass is valid. |
| Default lifetime | 1 hour | 10 – 43200 Minutes (30 days) | Default values can be override by the individual passes, within the minimum and maximum lifetime configured by the policy. |
| One-time use | False | True / False | When the policy is set to false, passes in the tenant can be used either once or more than once during its validity (maximum lifetime). By enforcing one-time use in the Temporary Access Pass policy, all passes created in the tenant will be created as one-time use. |
| Length | 8 | 8-48 characters | Defines the length of the passcode. |
Permissions for creating
These roles can perform the following actions related to a Temporary Access Pass.
- Global administrator can create, delete, view a Temporary Access Pass on any user (except themselves)
- Privileged Authentication administrators can create, delete, view a Temporary Access Pass on admins and members (except themselves)
- Authentication administrators can create, delete, view a Temporary Access Pass on members (except themselves)
- Global Administrator can view the Temporary Access Pass details on the user (without reading the code itself).
How create a user and assign
Then open the user and choose Authentication methods and click switch to the new user experience.
Choose Add authentication method and from the method dropdown choose Temporary Access Pass.
You can choose delayed start time if the user is starting after a period of time and the duration for the pass to be active. You can also choose if the pass is one time only.
One-Time use means that the policy is set to false, passes in the tenant can be used either once or more than once during its validity (maximum lifetime). By enforcing one-time use in the Temporary Access Pass policy, all passes created in the tenant will be created as one-time use.
When you create the pass you will see it here. You will provide this to the user and they can login thru https://aka.ms/mysecurityinfo site.
PowerShell, PowerShell!
Of course there is also PoSh, my favorite little multitasking animal.
Connect to Graph with PowerShell.
|
1 2 |
Install-module Microsoft.Graph.Identity.Signins -Scope CurrentUser Connect-MgGraph -Scopes UserAuthenticationMethod.ReadWrite.All |
Consent Graph
|
1 |
Select-MgProfile -Name beta |
Create, display and remove with PowerShell.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
# Create a Temporary Access Pass for a user $properties = @{} $properties.isUsableOnce = $True $properties.startDateTime = '2021-20-11 11:19:00' $propertiesJSON = $properties | ConvertTo-Json New-MgUserAuthenticationTemporaryAccessPassMethod -UserId test.user1@cloudpartnerdemo.fi -BodyParameter $propertiesJSON Id CreatedDateTime IsUsable IsUsableOnce LifetimeInMinutes MethodUsabilityReason StartDateTime TemporaryAccessPass -- --------------- -------- ------------ ----------------- --------------------- ------------- -------- 40b8633e-b4e0-4a62-962e-502744d58715 11/20/2021 11:19:55 AM True True 120 EnabledByPolicy 11/20/2021 11:19:54 AM &8QMF7^# # Get a users Temporary Access Pass Get-MgUserAuthenticationTemporaryAccessPassMethod -UserId test.user2@cloudpartnerdemo.fi Id CreatedDateTime IsUsable IsUsableOnce LifetimeInMinutes MethodUsabilityReason StartDateTime TemporaryAccessPass -- --------------- -------- ------------ ----------------- --------------------- ------------- -------- 40b8633e-b4e0-4a62-962e-502744d58715 11/20/2021 11:19:54 AM True True 120 EnabledByPolicy 11/20/2021 11:19:54 AM # Remove users Temporary Access Pass Remove-MgUserAuthenticationTemporaryAccessPassMethod -UserId 395fbd96-9ed2-4fb6-964c-9697760be9fe -TemporaryAccessPassAuthenticationMethodId e85358a2-a0de-4879-92b1-f59678924bbc -Verbose VERBOSE: Performing the operation "Remove-MgUserAuthenticationTemporaryAccessPassMethod_Delete" on target "Call remote 'UsersAuthenticationDeleteTemporaryAccessPassMethods' operation". |
Graph, Graph!
Not to forget graphical Graph API,
To add a new pass, use:
POST https://graph.microsoft.com/beta/users/{UPN}/authentication/temporaryAccessPassMethods |
If you want to specify authentication methods in the body
{ "@odata.type": "#microsoft.graph.temporaryAccessPassAuthenticationMethod", "startDateTime": "2021-11-20T11:30:53.000Z", "lifetimeInMinutes": 120, "isUsableOnce": true} |
if you want to remove it you can use temporaryAccessPassMethods ID. You find this one in Azure portal or with the following request:
GET https://graph.microsoft.com/beta/users/{UPN}/authentication/temporaryAccessPassMethods |
Next, you can delete the password by using this:
DELETE https://graph.microsoft.com/beta/users/{UPN}/authentication/temporaryAccessPassMethods/{id} |
Ps. I removed the test user.
That’s all folks!
RSS - Posts