Temporary access pass (TAP), an Azure AD feature that became GA in late June this year. A feature that can help many organizations onboard new employees. From setting up password-less authentication to rolling out a Modern Workplace with Microsoft Intune and Autopilot. This article describes what is needed to configure TAP within your organization. And how a TAP can be used to roll out a workplace with Autopilot.
What is a Temporary Access Pass?
This Azure AD feature can generate a temporary (one) time code. With this code, a user can (temporarily) log in without a password. This code is also registered as a (strong) authentication method, so you won’t be prompted for a second-factor authentication when logging in. A TAP always contains an expiration date and time and the option to use it once.
Why Temporary Access Pass and Autopilot?
Temporary Access Pass can help when a user gets onboarded. It's important the user can register authentication details without extra security prompts. Authentication details include FIDO2 Security Key, Authenticator App, Mobile Phone number, etc.
I can imagine that there are organizations that would rather not burden users with installing/configuring a workplace. In that case, TAP can be beneficial! It is, in fact, possible for the Service Desk employees to roll out a device without requesting or using the password of the future user.
The Intune service has different methods and phases for deploying a device. We will not discuss this broadly in this blog, but it is good to know that there are three phases through which the Autopilot service runs. Device Preparation, Device setup, and Account Setup. The last two are essential for now. Various applications, configurations, and settings are prepared during these two phases. Depending on the design, this process can take a while and sometimes go wrong. Besides these two reasons why you would let the Service Desk install the laptop, it would also help the user to get up and running quickly.
What roles are required to create a TAP?
- Global Administrators can create, delete, and view a TAP on any user (except themselves)
- Privileged Authentication Administrators can create, delete, and view a TAP on admins and members (except themselves)
- Authentication Administrators can create, delete, and view a TAP on members (except themselves)
- Global Reader can view the TAP details on the user (without reading the code itself).
- Make sure Combined Security Registration is enabled for your organization
- Configure authentication methods
- Conditional Access should be configured for Azure MFA
- Enable Web-Sign in (in case of Autopilot)
- Configure and enable the new authentication method experience
- TAP can’t be used with the Network Policy Server (NPS) extension and AD FS adapter.
How to enable and configure a Temporary Access Pass?
- Open the Azure Portal with a Global Admin account and navigate to > Azure Active Directory > Security
- On the Security | Authentication methods blade, select Policies
- Select Temporary Access Pass
- Now that we are on the TAP page, we can configure the Temporary Access Pass settings based on the organizational needs.
|Setting||Default values||Allowed values||Comments|
|Minimum lifetime||1 hour||10 – 43,200 Minutes (30 days)||A minimum number of minutes that the Temporary Access Pass is valid.|
|Maximum lifetime||8 hours||10 – 43,200 Minutes (30 days)||A maximum number of minutes that the Temporary Access Pass is valid.|
|Default lifetime||1 hour||10 – 43,200 Minutes (30 days)||The individual can override default values passed within the policy’s minimum and maximum lifetime configured.|
|One-time use||False||True / False||When the policy is set to false, passes in the tenant can be used either once or more than once during its validity (maximum lifetime). By enforcing one-time use in the Temporary Access Pass policy, all passes created by the tenant will be created for one-time use.|
|Length||8||8-48 characters||Defines the length of the passcode.|
Temporary Access Pass in action
Now that we have activated and configured TAP, we can start with the next step. First, I will walk you through creating a TAP code and logging in under a specific user. Later in this blog, screenshots and settings that are required to be able to roll out a workplace with this TAP code will follow.
- Open the Azure Portal with the appropriate rights and navigate to > Azure Active Directory
- On the Users | All Users blade, search for the user you want to create a TAP and select the user
- Now that you have found the user click on the Authentication methods
- Click on the Add authentication method and select Temporary Access Pass.
- Now configure the settings for the TAP, and don’t forget to copy the TAP code.
Temporary Access Pass user experience
Now that we have created the TAP code for Christie, we will try to log in with her account. Therefore I will browse to the Office Portal > and enter her Username. When I enter her Username and click on Next, it asks for the TAP code (if not, select Use your Temporary Access Pass instead) within the Sign-in process. Now, fill in the earlier copied TAP code, and click on Sign in. Now you should be in!
Temporary Access Pass and Autopilot
Note: TAP must be configured and activated to use the scenario below.
If you have not already done this, start under the heading “How to enable and configure a Temporary Access Pass?“.
By default, signing in via the web while provisioning a device isn’t possible. That’s why we first need to activate the Web Sign-In for Autopilot. We can achieve this by creating a Device Configuration Profile. If this step is skipped, you will not be able to configure the device to the desktop state. You will be able to enroll a device, but after the Device Setup phase, your device can reboot and ask for the user credentials (without the possibility to use a TAP code). That’s the main reason why we want to enable Web Sign-in.
- Open the Endpoint Manager Portal and navigate to > Devices > Configuration Profiles
- On the Devices | Configuration Profiles blade, select Create Profile > and create a Windows 10 and later profile
- When the Profile Type is asked, select Settings Catalog
- Give your Configuration Profile a name, an additionally a description
- Now click on Add Settings > and search for Enable Web Sign In
- Set the value to Enabled. Web Sign-in will be enabled for signing in to Windows and click Next
- Configure any Scope Tags and click Next > Now assign the Configuration Profile to a Device Group*.
- Click Next and then Create
Keep in mind that using the Web Sign-In should be temporary. Web Sign-In isn’t enabled by default because it breaks the SSO with on-premises resources.
When you start the Autopilot enrollment, in the first stage, it will ask for a username followed by the TAP code we had created. Then, after signing in, the Device will start the enrollment.
After the Device Setup phase, a reboot may occur. When the restart has occurred, the user will be prompted to log in again. This is where Web Sign-in allows us to use TAP. Below is a screenshot of the icon that must be visible to use the Web Sign-in we enabled earlier.
Now when we click on Sign In, a Microsoft window asks us to enter the user credentials. First, start with the Username, followed by the TAP code we created.
Not that we have signed in using the TAP, the Account setup phase will complete and will take you to the Windows Hello for Business setup or the desktop. From here, you can shut down the machine.
Temporary Access Pass can make a massive contribution toward a password-less environment. However, remember that user adoption is just as important. Ensure that users are informed about what is expected using a manual.