Blog Post

Microsoft Entra Blog
2 MIN READ

Temporary Access Pass is now in public preview

Alex Simons (AZURE)'s avatar
Alex Simons (AZURE)
Icon for Microsoft rankMicrosoft
Mar 02, 2021

Today we announced the general availability of our passwordless solution and the public preview of Temporary Access Pass in Azure Active Directory. Temporary Access Pass is a game-changer that completes the end-to-end passwordless onboarding experience for your users. It is a time-limited passcode they can use to set up security keys and the Microsoft Authenticator without ever needing to use, much less know, a password!

 

I’ve invited Inbar Cizer Kobrinsky, a senior program manager on the Identity Security team, to share more details about Temporary Access Pass.

 

Best Regards,

 

Alex Simons (Twitter: @alex_a_simons)

Corporate Vice President Program Management

Microsoft Identity Division

 

------------------------------------------------------------

 

Hi everyone!

 

We created Temporary Access Pass to address many of your passwordless account onboarding and recovery scenarios. In this post, I’ll introduce you to its capabilities and share why you should try it for yourself.

 

What is Temporary Access Pass?

For a user to truly be passwordless, they shouldn’t know or use their password, and instead use passwordless authentication methods and recovery if they lose their authentication devices.

 

Temporary Access Pass is a time-limited passcode that allows users to register passwordless methods authentication and recover access to their account without a password.

 

Admin experience

The authentication methods policy helps to harden the security around Temporary Access Pass issuance based on your needs. For example, you can limit it to specific users and groups, limit the use for a short period, or set it for one-time use. After enabling the Temporary Access Pass policy, you can then create a Temporary Access Pass for your users.

 

Temporary Access Pass authentication method policy

 

 

The updated user authentication method page allows a privileged authentication administrator and an authentication administrator to create a Temporary Access Pass for a user, within the allowed limits of the Temporary Access Pass authentication methods policy.

 

 

Creating a new Temporary Access Pass on a user from the Azure AD portal

 

End user experience

Once a user has a valid Temporary Access Pass, they can use it to sign in and register a FIDO2 key from the My Security Info page or register for passwordless phone sign-in directly from the Authenticator app.

 

Sign in to Azure AD with Temporary Access Pass

 

Learn more

You can learn more about how to configure Temporary Access Pass in documentation.

 

Some of you may have existing applications for new employee onboarding experiences. Temporary Access Pass is available through the Microsoft Graph APIs, so you can incorporate it into your existing applications. Get details on TAP authentication method APIs and on how to use the policy APIs.

 

Tell us what you think

Give it a try and let us know if you have questions or feedback. I hope you will love it as much as we do!

 

Inbar Cizer Kobrinsky (@inbarck),

Senior Program Manager,

Microsoft Identity Division

 

 

Learn more about Microsoft identity:

 

Updated Mar 02, 2021
Version 3.0
security
Alex Simons (AZURE)'s avatar
Icon for Microsoft rankMicrosoft
Joined May 01, 2017
View Profile
Microsoft Entra Blog
Stay informed on how to secure access for employees, customers, and non-human identities, from anywhere, to multicloud and on-premises resources, with comprehensive identity and network access solutions powered by AI.

20 Comments

Sort By
Show More
  • Reza_Ameri's avatar
    Reza_Ameri
    Silver Contributor
    Apr 08, 2021

    This is great feature but we are observing new risk and it is hackers are moving toward hacking mobile devices and in this case, they would have access to Authenticator apps and credentials. 

    In addition, hacking phone are much easier than Windows, so this is a new concern.

    But options like Windows Hello are great passwordless methods.

  • JonasBack's avatar
    JonasBack
    Steel Contributor
    Apr 08, 2021

    Inbar Cizer Kobrinsky we're doing a pilot this week with 100 users using this. One question, we're creating new Azure AD (Cloud Only) users for this. By default when you create these you have to create an initial password (or let Azure AD autogenerate one for you). This means the users will actually have a password under the hood (even though never used).

     

    Comments? Any plans to make it possible to create users that truly don't have a password or am I missing something?

  • Unearth's avatar
    Unearth
    Brass Contributor
    Mar 04, 2021

    I understand this is primarily designed to help users get registered for passwordless - but for customers who are still using passwords/MFA, can it be used by IT to provide temporary access to a user's account (say, to log into their AzureAD joined workstation) without having to reset their password? Or for say the ability to start the autopilot process on their laptop for them? If so, i assume the login will still be subject to MFA challenge, or does TAP bypass that? Thanks!

  • Inbar Cizer Kobrinsky's avatar
    Inbar Cizer Kobrinsky
    Icon for Microsoft rankMicrosoft
    Mar 03, 2021

    Chris_Clark_Netrix  - you can issue Temporary Access Pass for cloud and federated accounts. If a federated user has a valid pass, they will be able to use it for cloud authentication and register a passwordless method. From that point on, the user can be federated but if using passwordless method - they will be able to do cloud authentication. 

OSZAR »