How to use Temporary Access Passes in Azure AD

#AzureAD #security

The Temporary Access Pass (TAP) is a strong authentication method in Azure Active Directory that allows a user to bypass a second MFA method for a short period of time. This feature is intended to be used in both passworded environment and passwordless envrionments (FIDO2, Hello for Business). The TAP's primary use is to give users a temporary second factor for authentication while keeping your existing security controls in place. If a user knows their password, but doesn't have access to a second authentication method (new phone or phone number, network outage, travelling, etc), an Azure AD admin can generate a TAP code and relay it to them so they can sign in.

This post will discuss how to generate Temporary Access Passes in Azure AD and how users will sign in using this code.

Enable the Temporary Access Pass feature

Before you can generate TAPs for users, you will need to enable the method in Azure AD.

To enable this feature, you need the Global administrator Role in Azure AD.

  1. Login to the Azure AD portal:

  2. Search for “Azure AD Authentication Methods” and open the blade.

  3. Click on the link for “Temporary Access Pass”: Screenshot of the Azure AD Authentication Methods blade

  4. Toggle the “Enable” switch: Screenshot of the Temporary Access Pass blade

  5. Open the “Configure” tab and click the “Edit” button. A pane will open on the right side that will allow you to configure your org-wide settings for TAP code: Screenshot of the Temporary Access Pass configuration pane

Once you've saved these settings, you're ready to create TAPs for your users.

Create a Temporary Access Pass

To get a TAP code, users must know their current username and password and must contact an administrator to request one.

The following Azure AD permissions are required to create Temporary Access Passes:

NOTE: Admins cannot create TAPs for themselves. This limitation can make it difficult to test this process without creating a test user account.

To create a TAP for a user, perform the following steps:

  1. Ensure that the user request is valid. Users must remember their username and password to use a TAP.

  2. Sign into the Azure AD portal:

  3. Navigate to the Users blade and open the user that you want to assign a TAP.

  4. Navigate to the Authentication Methods blade.

  5. Click on the option at the top of the page “Try the new user authentication methods experience”, if present.

  6. Click the button “Add authentication methods”.

  7. In the dropdown list, choose “Temporary Access Pass”

  8. Define the duration and activation time and click the “Add” button: Screenshot of the Azure AD portal showing the Temporary Access Pass option

  9. After generating the password, instruct the user to login to

  10. Send the code to the user: Screenshot of the Temporary Access Pass details pane

  11. Instruct the user to login with their username and password. The “Enter Temporary Access Pass” window will appear automatically: Screenshot of the Microsoft login screen, Temporary Access Pass entry

  12. After inputting the TAP, the user will be redirected to the “Security info” page where they can make changes to their existing authentication methods and add new ones: Screenshot of the My Sign-Ins page showing the Temporary Access Pass entry

By using Temporary Access Passes, you can keep your organization's Conditional Access and MFA policies in place and allow users to sign in when they don't have access to their second factor. A TAP can prevent the need for adding the user to an exception group or manually disabling MFA for the user. It is also a good idea to scope this permission to a Custom Role so that your Helpdesk or Tier 1 staff can generate these codes when users need them.