If you have been following the PASSWORDLESS developments that are happening at the Azure AD side, I am sure you might have heard about this new authentication method/option that is currently added in public preview – Temporary Access Pass.
Today’s blog post is to share my bit of experience of trying out this new authentication method available in Azure AD.
Table of Contents
What is Temporary Access Pass?
As the official documentation states,
Temporary Access Pass (TAP) is a time-limited passcode that itself can serve as a strong credential and enables end-user to register for other authentication methods, including passwordless authentication, without the use of an actual password.
Admins can define if the Temporary Access Pass passcode is one-time only or not and can also determine the minimum and maximum validity of the same.
Note that when a user is authenticating with TAP, the authentication is handled by Azure Active Directory and there will be no redirection to ADFS or another federation service, if there is one.
The main goal for TAP is to enable users to do an initial sign-in to further set up any of the available passwordless authentication methods like FIDO2 security keys or Phone sign-in using the Authenticator app, without the need to have a traditional password.
If an environment is fully on modern-auth, this feature can surely help in an organization’s ambition of going fully passwordless!
Enabling Temporary Access Pass in the Tenant
- Navigate to Security – Authentication Methods and from under Policies, select the Temporary Access Pass (preview) policy.
- Set ENABLE to Yes and then from under TARGET, you can choose All Users or if you would want to enable TAP for specific users only, you can do so by creating a user group and selecting that user group as well.
- Click on EDIT if you would want to modify any parameters for TAP.
- Here I have not made any changes to the default configuration. Once done, click on SAVE and the TAP policy should now be in Enabled state.
- Make sure you enable the new combined registration portal for Azure MFA and Self Service Password Reset.
You can choose to enable for a group of users or all users of the tenant. If you choose to enable for specific users only, make sure that the user group is also enabled for TAP policy if you want those users to use TAP.
Generating TAP for a User
Once you have the Temporary Access Pass Authentication Method policy enabled, go to the Azure portal Users section and select any user for whom you would want to generate a TAP.
Note: The user must be included in the Temporary Access Pass policy as shown above.
- Inside the user profile, go to Authentication methods, and enable the new user authentication methods experience using the notification banner link.
- Then you will get the option to Add authentication method. Click on it.
- From the flyout pane, choose Temporary Access Pass (Preview) from the list of dropdowns.
- Configure/Modify parameters of Temporary Access Pass (Preview) and click on Add.
Above, you get the option to determine if the TAP is a one-time use only or can be reused for multiple times until expiry.
- Once you click on Add, it will start to process the request and create the Temporary Access Pass passcode for the user.
Make sure to make a note of the Temporary Access Pass passcode that is displayed before closing out the flyout pane.
This is important as you won't be able to get this value from anywhere after you have closed this. If you forget to note the TAP passcode, the only way would be to delete the TAP created for the user and regenerate a new one.
User Experience
Above, I generated TAP passcode for a test user of my tenant having UPN testtapuser@intunewithjoy.in
Now let’s check if I can sign-in with this account to any of the Microsoft cloud services, say the Office portal, using only the TAP passcode and not using the traditional account password.
Since this user has a TAP generated which is still in its validity period (not expired), I get this option to Use your Temporary Access Pass instead.
Note: This option will not appear when there is no valid TAP available for the account performing sign-in.
Entered the TAP passcode and well, it let me in.
Note that TAP is a time-limited passcode that satisfies strong authentication requirements and as such, it can satisfy the MFA requirement of Conditional Access without prompting for MFA.
Using the Sign-In review of Conditional Access (a feature which is currently in Limited preview!) I can see the sign-in was subjected to Conditional Access but still came up as a success because of what is stated above.
As mentioned in the description, Temporary Access Pass can be used for account recovery purposes as well.
End-user can sign-in to https://mysignins.microsoft.com with TAP passcode and then from Security info section, add a new sign-in method or modify/delete existing sign-in methods.
Any connections with MEM Intune…
From device management perspective, no there isn’t any real connection since this is a method of authentication.
However, I do see Temporary Access Pass solving one of the long-drawn issues of Intune with regards to Apple DEP (now ABM) provisioning…
When you have lock the Company Portal in single app mode until user sign-in enabled for your iOS/iPadOS devices, immediately after setup assistant completes, the device is locked to running the Company Portal app in single app mode. You cannot get to anything unless you sign-in to the Company Portal app, and herein lies the problem! If that is the only device the user is using and there is a CA policy that requires MFA, the device enters a loop because the user cannot recieve/retrieve the code/call to get the 2nd factor Auth. But with TAP able to satisfy strong auth requirements, instead of excluding the user from the CA policy, which was earlier the solution, I can finally see the problem being solved!
Peter Klapwijk in his blog post has excellently portrayed how you can use Temporary Access Pass during Windows Autopilot device provisioning and later on complete the device setup with using the same TAP via web sign-in (enabled via an MDM profile) and then set up Windows Hello for Business to login to the device, without actually ever using a traditional password!
Wrapping it up
If you are going passwordless, the Temporary Access Pass of Azure AD surely helps to onboard users to the passwordless world!
