4 min to read
Temporary Access Pass for Passwordless authentication
What is a Temporary Access Pass
A Temporary Access Pass is a time-bound passcode issued by an admin which satisfies strong authentication criteria and can be used to onboard other authentication methods.
A Temporary Access Pass also makes recovery easier when a user has lost or forgotten their strong authentication factor like a FIDO2 security key or Microsoft Authenticator app, but needs an alternate to sign-in to set-up the new authentication method.
Generating a temporary access pass is a two-step process, that includes
- Enabling the Temporary Access Pass policy
- Creating a Temporary Access Pass
Enable the Temporary Access Pass Policy
Global administrator and Authentication Policy administrator role holders are eligible to update the Temporary Access Pass authentication method policy. Follow the below steps to configure the Temporary Access Pass authentication method policy.
Step 1 : Navigate to Temporary Access Pass Authentication method in Azure Portal
Log in to the Azure Portal as a Global admin or Authentication Policy admin and navigate to Azure Active Directory > Security > Authentication methods > Temporary Access Pass.
Step 2 : Enable the policy
To enable the policy
✓ Set Enable to Yes
✓ Select which users have the policy applied
Step 3 : Configure the policy
On the Configure tab, you can modify the default Temporary Access Pass settings, such as max/min lifetime, default lifetime, length & enable one-time usage. This step is optional and if you do not update, default values apply to all these parameters.
While creating a pass, the admin can override the default lifetime to a period somewhere between the maximum and minimum limit set here.
Create Temporary Access Pass
- Log in to the Azure Portal as a Global administrator / Privileged Authentication administrator / Authentication administrator.
- Navigate to Azure Active Directory -> Users. Select a user, for e.g Allan Deyoung, then choose Authentication methods.
- Select the option to Switch to the new user authentication methods experience.
- Click on Add authentication method.
- Choose Temporary Access Pass over the dropdown “Choose method”.
- Enter a start time to activate the pass & activation period, and then click Add (the period has to be between the maximum and minimum lifetime set in the policy)
- Copy the passcode and the URL – to pass on to the user. Please note that the passcode cannot be seen post giving OK.
Using a Temporary Access Pass
During the first sign-in or device setup or loss of a device, the user would commonly use a Temporary Access Pass to register new authentication methods.
Open the URL - https://aka.ms/mysecurityinfo,
- If the user is included in the Temporary Access Pass policy, they will see a screen to enter their Temporary Access Pass.
- Key-in the URN of the user for whom the Temporary Access Pass was generated.
- Key-in the Temporary Access Pass that was displayed in the Azure portal.
Update / Add sign-in method
In this security portal, users who have lost their credentials or device, must make sure to remove / update the old sign-in methods.
Users can also choose to add a sign-method using the authenticator app by clicking the “+ Add sign-in method”.
When you have lost a device, you can choose to “Sign out everywhere” using the option indicated below.
Delete a Temporary Access Pass
Once the Temporary Access Pass expires, admin can delete it under user -> Authentication Methods. The generated passes and their expiry time are listed – over which the admin can choose to delete the pass.
Limitations of a Temporary Access Pass
- When using a one-time Temporary Access Pass to register a Passwordless method such as FIDO2 or Phone sign-in, the user is restricted to complete the registration within 10 minutes of sign-in.
- Users who are registered under Self Service Password Reset (SSPR) registration policy or Identity Protection Multi-factor authentication registration policy will be required to register authentication methods after they have signed in with a Temporary Access Pass. Whereas, this flow currently does not support FIDO2 and Phone Sign-in registration.
- Temporary Access Pass cannot be used with the Network Policy Server (NPS) extension and Active Directory Federation Services (AD FS) adapter.
- When the Temporary Access Pass tied to an account expires, it takes a few minutes to reflect in the system. So, in the meantime, users can still see a prompt for Temporary Access Pass.
