Azure AD – Temporary Access Pass for password less user is now in preview

As you know, for the past few years, Microsoft has been working to remove the need of passwords to access Microsoft Cloud services through Azure Active Directory – also known as password less.

Well, there was still a problem as an end user needed to know his password at some point.

This now answered with the Temporary Access Pass, a one time passcode allowing end-user setting up their security keys and/or Microsoft Authenticator without ever needing to know the password.

To start using it, connect to your Azure AD portal (https://aad.portal.azure.com/) and access the Azure Active Directory\Security\Authentication Methods\Policies blade to enable the Temporary Access Pass method

image_thumb-412-2576199

When enabling the Temporary Access Pass, you can define the lifetime of the one time passcode – defaults are set as below:

  • Minimum: 1 hour
  • Maximum: 8 hours
  • OneTime: no
  • Length: 8 characters

Off course, it is recommended to turn OneTime to enabled as best practices; as this is a preview capability, I assume feedback will be given to get it enabled by default (you can give feedbacks here https://feedback.azure.com/forums/169401-azure-active-directory?category_id=368362)

image_thumb-413-6927783

Then you can access the end-user blade details to get the Temporary Access Pass code; you will have to switch to the new user authentication experience – you will see a purple banner if you did not have yet switch; you can go back at any time to the current experience using the blue banner link

image_thumb-414-3914582 

Then you can add a new authentication method and select Temporary Access

image_thumb-415-7164262

And then define the one time passcode settings for the user for delayed activation (this can be useful for new joiners) and duration

image_thumb-416-1233255

Now you can get the one time passcode and share it to the end user (I did not remove the Temporary Access code on purpose wlemoticon-smile-29-3010281) and instruct to logon to https://aka.ms/mysecurityinfo to register their authentication methods (security keys and/or Microsoft Authenticator)

image_thumb-417-2257130

When user will logon, it will be asked for the password (which is unknown) with the option to use the one time passcode

image_thumb-418-7752665  image_thumb-419-3080293