Temporary Access Pass for Passwordless authentication

Featured image

What is a Temporary Access Pass

A Temporary Access Pass is a time-bound passcode issued by an admin which satisfies strong authentication criteria and can be used to onboard other authentication methods.

A Temporary Access Pass also makes recovery easier when a user has lost or forgotten their strong authentication factor like a FIDO2 security key or Microsoft Authenticator app, but needs an alternate to sign-in to set-up the new authentication method.

Generating a temporary access pass is a two-step process, that includes

Enable the Temporary Access Pass Policy

Global administrator and Authentication Policy administrator role holders are eligible to update the Temporary Access Pass authentication method policy. Follow the below steps to configure the Temporary Access Pass authentication method policy.

Step 1 : Navigate to Temporary Access Pass Authentication method in Azure Portal

Log in to the Azure Portal as a Global admin or Authentication Policy admin and navigate to Azure Active Directory > Security > Authentication methods > Temporary Access Pass.

Step 2 : Enable the policy

To enable the policy

      Set Enable to Yes

      Select which users have the policy applied

Step 3 : Configure the policy

On the Configure tab, you can modify the default Temporary Access Pass settings, such as max/min lifetime, default lifetime, length & enable one-time usage. This step is optional and if you do not update, default values apply to all these parameters.

While creating a pass, the admin can override the default lifetime to a period somewhere between the maximum and minimum limit set here.

Create Temporary Access Pass

  1. Log in to the Azure Portal as a Global administrator / Privileged Authentication administrator / Authentication administrator.
  2. Navigate to Azure Active Directory -> Users. Select a user, for e.g Allan Deyoung, then choose Authentication methods.
  3. Select the option to Switch to the new user authentication methods experience.
  4. Click on Add authentication method.
  5. Choose Temporary Access Pass over the dropdown “Choose method”.
  6. Enter a start time to activate the pass & activation period, and then click Add (the period has to be between the maximum and minimum lifetime set in the policy)
  7. Copy the passcode and the URL – to pass on to the user. Please note that the passcode cannot be seen post giving OK.

Using a Temporary Access Pass

During the first sign-in or device setup or loss of a device, the user would commonly use a Temporary Access Pass to register new authentication methods.

Open the URL - https://aka.ms/mysecurityinfo,

  1. If the user is included in the Temporary Access Pass policy, they will see a screen to enter their Temporary Access Pass.
  2. Key-in the URN of the user for whom the Temporary Access Pass was generated.
  3. Key-in the Temporary Access Pass that was displayed in the Azure portal.

Update / Add sign-in method

In this security portal, users who have lost their credentials or device, must make sure to remove / update the old sign-in methods.

Users can also choose to add a sign-method using the authenticator app by clicking the “+ Add sign-in method”.

When you have lost a device, you can choose to “Sign out everywhere” using the option indicated below.

Delete a Temporary Access Pass

Once the Temporary Access Pass expires, admin can delete it under user -> Authentication Methods. The generated passes and their expiry time are listed – over which the admin can choose to delete the pass.

Limitations of a Temporary Access Pass