Contents

Journey To Passwordless: Temporary Access Pass

Blog series

  1. Passwordless: But why?
  2. Enable passwordless
  3. Temporary Access Pass
  4. FIDO2 Security keys
  5. Windows 10 device onboarding and Windows Hello for Business
  6. PowerShell administration without a password
  7. Microsoft Authenticator app
  8. Restrict FIDO2 key usage & conclusion

Recap

In the first two blogs of the series, I highlighted the concept and benefits of Passwordless and took the necessary configuration steps in the Entra ID (Azure AD) Tenant. Now we turn to the first piece of the puzzle towards a true passwordless sign-in.

The Temporary Access Pass.

What is a Temporary Access Pass

A Temporary Access Pass (TAP) is an access code for the user. Similar to a password, it can be used to sign in for the first time.

The big difference with a TAP, however, is that it can only be used for a limited time. A period between one and eight hours can be selected. Another restriction is that the use can be limited to a single sign-in.

Since a FIDO2 key currently cannot be added by an administrator for a user, the TAP is thus the only option for initial setup of a new account without a password.

Info
Currently, TAP is still in the public preview. However, my tests have shown that this function works very well.

Create a Temporary Access Pass

Time to provide the first user with a TAP.

After a new Entra ID (Azure AD) user has been created, a TAP can be created via the menu item “Authentication methods”. A password is assigned when the user is created, but you do not need to write it down.

Usually it takes a short moment until you can add the data for a new user. If you are too fast the following error message appears:

/en/journey-passwordless-temporary-access-pass/images/TimingProblem.png

After one or two minutes, the problem should have resolved itself. It is probably a timing problem with the user creation.

/en/journey-passwordless-temporary-access-pass/images/AddAuthenticationMethod.png

If the legacy User Authentication Methods Experience is still active, you have to switch it to the new experience by clicking on “Switch to the new user authentication methods experience”.

/en/journey-passwordless-temporary-access-pass/images/SwitchToNewAuthExperience.png

A Temporary Access Pass can now be created via “Add authentication method”.

/en/journey-passwordless-temporary-access-pass/images/AddTAPOneTimeUse.png

When creating the TAP, you can manually change its validity period. If no restrictions have been made in the global configuration, 1 hour intervals from one to 8 hours are possible.

It is also possible to configure whether the TAP can be used several times or only once. This Destroy After Use function is optional and also has its negative sides.

For example, the user must have stored an alternative sign-in method, e.g. a FIDO2 security key or the Authenticator app, no later than 10 minutes after sign-in. Unfortunately, the user is not made aware of this fact.

The TAP is then displayed in plain text and can be sent to the user.

Warning
The TAP can no longer be viewed later. If you missed to make a note of it, you have to delete the existing one and create a new one.

/en/journey-passwordless-temporary-access-pass/images/TemporaryAccessPass.png

Conveniently, Microsoft also displays the URL for the initial setup of a secure login method.

aka.ms/mysecurityinfo

Multiple active TAPs?

There can only ever be one active TAP per user. But after this TAP expires, a new one can be created and the existing one will be overwritten.

As long as the existing TAP is valid this is not possible, you have to remove it first and then you can add a new one.

/en/journey-passwordless-temporary-access-pass/images/MaximumOfOneActiveTAP.png

PowerShell and Graph API

The Entra ID (Azure AD) PowerShell Module does not currently support the new Authentication Method API in either the GA release (2.0.2.130) or the preview (2.0.2.134).

With the Microsoft Graph PowerShell module it is possible to manage the new authentication methods, but you have to use the Beta Graph API.

# Install module
Install-module Microsoft.Graph.Identity.Signins -Scope CurrentUser
# Connect to Microsoft Graph API using Device Authentication and with correct API permissions
Connect-MgGraph -Scopes UserAuthenticationMethod.ReadWrite.All
# Switch to beta API
Select-MgProfile -Name beta

Create a TAP

# Create a one time usable TAP, valid for 61 minutes
$TAP = New-MgUserAuthenticationTemporaryAccessPassMethod -UserId 849189be-c4c1-4873-aabd-570604214c0a -IsUsableOnce -LifetimeInMinutes 61
# Retrieve TAP
$TAP.TemporaryAccessPass

/en/journey-passwordless-temporary-access-pass/images/PowerShellNew-MgUserAuthenticationTemporaryAccessPassMethod.png

Show a TAP

# List TAP registered to a user
Get-MgUserAuthenticationTemporaryAccessPassMethod -UserId 849189be-c4c1-4873-aabd-570604214c0a

/en/journey-passwordless-temporary-access-pass/images/PowerShellGet-MgUserAuthenticationTemporaryAccessPassMethod.png

Remove a TAP

Remove-MgUserAuthenticationTemporaryAccessPassMethod -UserId 849189be-c4c1-4873-aabd-570604214c0a -TemporaryAccessPassAuthenticationMethodId 149e0573-c362-429a-9a33-bd8a1d5b632d

/en/journey-passwordless-temporary-access-pass/images/PowerShellRemove-MgUserAuthenticationTemporaryAccessPassMethod.png

Graph Explorer

Via the Microsoft Graph Explorer you can also directly access the API endpoints.

/en/journey-passwordless-temporary-access-pass/images/GraphExplorer.png

https://graph.microsoft.com/beta/users/849189be-c4c1-4873-aabd-570604214c0a/authentication/methods

As a result, all registered logon methods are returned. The TAP has the following format.

{
    "@odata.type": "#microsoft.graph.temporaryAccessPassAuthenticationMethod",
    "id": "149e0573-c362-429a-9a33-bd8a1d5b632d",
    "temporaryAccessPass": null,
    "createdDateTime": "2021-05-13T15:22:52.879393Z",
    "startDateTime": "2021-05-13T15:22:52.6349677Z",
    "lifetimeInMinutes": 480,
    "isUsableOnce": false,
    "isUsable": true,
    "methodUsabilityReason": "EnabledByPolicy"
}

Use a Temporary Access Pass

After the TAP has been created and sent to the user, of course via a secure method, the user can sign-in for the first time.

This is where another restriction comes into play that must be taken into account.

Info
It is not possible to onboard a new Windows computer via TAP. No matter if Autopilot or Out-of-Box-Experience (OOBE), in this case e.g. a FIDO2 security key is necessary for the authentication.

Thus, the initial setup should be performed on an existing, secured computer using a browser. Only then can the user put his Privileged Admin Workstation (PAW) into operation.

Sign-In

The setup is done via the My Security Information website.

When signing in, the difference to an initial sign-in using a password quickly becomes clear. After entering the user name, no password is requested, but the Temporary Access Pass. If the entry is correct, you will be redirected directly to the portal.

/en/journey-passwordless-temporary-access-pass/images/TAPSignInExperience.png

With a sign-in by means of user name and password, the user would now have been prompted to change the password.

/en/journey-passwordless-temporary-access-pass/images/ChangePassword.png

After the successful sign-in, the user must now add an additional method for sign-in. In the following example I use a FIDO2 Security Key. In the following blogs I will go into more detail about this sign-in method and also present the “Authenticator App” as a alternative.

Setup a FIDO2 security key

In the portal, select “Add method” and then select “Security key” as the method.

/en/journey-passwordless-temporary-access-pass/images/TAPSignIn-3-MySignInsPortalCorrect.png

Now select “USB device” and confirm the next message with Next.

/en/journey-passwordless-temporary-access-pass/images/SecurityKeyChoice.png

Now you will be asked by Windows to allow access to the FIDO2 Security Key, additionally you have to agree that certain key information will be sent to login.microsoft.com and a credential will be created on the key. Finally, you have to confirm the action by touching the respective area on the FIDO2 Security Key. With other FIDO2 models there is an additional PIN request. However, the FIDO2 Security Key used also supports fingerprints for unlocking, which makes the setup a bit more convenient.

/en/journey-passwordless-temporary-access-pass/images/TAPSignIn-7-9.png

Finally, a descriptive name must be entered for the security key.

/en/journey-passwordless-temporary-access-pass/images/TAPSignIn-10-NameYourKey.png

From now on, the user can sign-in to Entra ID (Azure AD) with their security key and the TAP is no longer needed.

Special considerations with Self Service Password Reset (SSPR)

If the user is part of the Self Service Password Reset (SSPR) policy, the SSPR registration flow is forced after the initial sign in.

/en/journey-passwordless-temporary-access-pass/images/MoreInformationRequired.png

This currently only allows the Microsoft Authenticator app to be added. The setup of a FIDO2 Security Key is only possible afterwards.

/en/journey-passwordless-temporary-access-pass/images/SSPRFlowOnlyAuthenticatorApp.png

Basically, the SSPR function should be deactivated for users who are to work 100% without a password. Otherwise, you can use this loophole to obtain a password again.

Since users in certain administrative Entra ID (Azure AD) roles enforce SSPR by default, this should theoretically affect all administrators.

Info
In my tests, the behavior occurred once.
After first disabling and then re-enabling the SelfServePasswordResetEnabled value in my tenant, I could no longer reproduce it.
# Aktuellen Wert überprüfen
Get-MsolCompanyInformation | Select SelfServePasswordResetEnabled
# Anpassen
Set-MsolCompanySettings -SelfServePasswordResetEnabled $false

Can I still use a password?

The password, which is mandatory when creating a user, cannot be removed at the moment. It is also not possible to prevent sign-in using a password at this time. However, a conditional access policy can be used to force the use of a start-up authentication via MFA or a security key. Thus, an attack scenario in which the attacker guesses the password is very unlikely.

Changing the password is also not possible for the user, since the existing password is not known. Of course, features such as SSPR must also be disabled for the user.

Next steps

In the next blog post, I will go into more detail about setting up FIDO2 Security Keys and signing-in with them. I will introduce two FIDO2 Security Keys that do not require a PIN. The goal is to get along 100% without PIN or password entry.

Info
The next blog entry is expected to appear on 24.05.2021.