Temporary Access Pass or TAP, is a cool Azure AD feature which is still in Preview, but I see huge wins if Microsoft put this in to general availability so that the IT admins can provide uninterupted security over user accounts.
In real life, users may forget to bring the mobile phone to office or maybe out of battery so they can’t get in to the Authenticator app to complete the MFA challange.
When a user fails to complete a strong authentication step such as FIDO2 or Multi Factor, Temporary Access Pass can deply to save the day.
In this way if the user doesnt have the ability to complete the strong authentication, IT doesn’t need to take them out from the MFA Conditinal Access Policy for an example. Users have the option of entering the re-usable or one-time TAP to get in.
How to activate TAP?
Go to https://aad.portal.azure.com/ > Azure Active Directory > Security > Authentication methods
Go to Policies > Temporary Access Pass (preview)
In TAP Settings, go to Basic tab and Enable the service
Go to Target and select the users. Please mind me for my love of Star Wars (the users I mean) 🙂
Save the section
Go to Configure tab and set the below if required.
And that’s the setup part. Pretty easy stuff right?
Configure TAP to a selected user
Go to one of the users you added to the policy in the previous step.
Go to Authentication Methods > Enable the new experience page if you haven’t done that yet
Once its done, click on Add Authentiction Method
Select Temp. Acess Pass (preview) option
Configure the settings on how you want the TAP to be
If you don’t want the TAP to activate immediately, select the Delayed Start Time option and set the date and time (shown below)
Press Add and you will get the completion page with the pass. Take a not of the pass.
And that’s it. Now the user has TAP activated.
Test the TAP
Now that the option is activated, hand over the passcode to the user.
Users have the option to go to https://aka.ms/mysecurityinfo to register security info such as a new phone number, new device for multi factor authentication so they can continue using strong authentication.
Now, when the users are presented with the M365 login page to enter their email address and the password, they will now see the option Use your Temporary access pass instead as soon as they enter the email and press enter.
Click on that link without enteringt the password
It willl open the below page
And the user is in!
For security purposes this can be setup for one time use as this bypasses the strong authentication methods, but temporarily. Its advisable to setup a lower activation duration.
With this, admins can safely enable the pass without hindering the overall security posture to take out users from Conditinal Access Policies that may lead to “oh I forgot to add the user back” or “the user preferred not to use MFA” kind of exuces.