If you're like me you may have seen a few blog posts coming out around Temporary Access Pass or TAP recently. Anything around passwords grabs my attention so thought this would be a good opportunity to find out a bit more about it. As I work within the Modern desktop area I wanted to add a slightly different view of this and see how it integrates with Microsoft Endpoint Manager (MEM).
To give a little context to this feature, I have personally witnessed an increased interest from companies over the last year wanting to implement Passwordless authentication with Windows Hello for Business being a common option. TAP introduces a new Passwordless method to the stack to sit alongside Azure AD multi-factor authentication helping the cause to dump our passwords. Microsoft announced at Ignite 20201 they are making Passwordless login a standard feature for their cloud based Active directory.
The drive to introduce these methods is backed by Microsoft's research which shows that most cyber attacks start with a compromised user name or password. While you can try and counter this by enforcing Long or complex passwords as well as MFA this generally frustrates end users and can increase support costs.
The premise for Passwordless authentication is:
"With passwordless, the password is replaced with something you have plus something you are or something you know. For example, Windows Hello for Business can use a biometric gesture like a face or fingerprint, or a device-specific PIN that isn't transmitted over a network." - Microsoft Quote.
Microsoft are looking to emphasize the importance of introducing stronger but also simpler methods of authentication.
Diagram provided by Microsoft: Authentication methods and features - Azure Active Directory | Microsoft Docs
Passwordless authentication can already be configured with the following methods:
TAP becomes useful however in providing access for users when enrolling with new services without generating a password. This can be created by using a REST-API but a more user friendly setup and the one will show here is by using the User interface within Azure Portal and MEM. IT Admins are required to setup a One-time, short term login code which is provided to end users either as part of their initial login or when they need to recover account access as a result of loosing a phone or security key used for authentication. By navigating to https://aka.ms/mysecurityinfo the user can easily use the assigned code to login and change their authentication methods such as changing their registered phone and number and therefore reducing the security risk.
So how is this setup........
Well keep in mind this is in preview still and the options could change. The service is also disabled by default however I do see the benefit of enabling out of the box. To enable the service you have to login to the Azure portal (https://portal.azure.com) and choose some initial settings as shown below. You will need to login with either a Global Administrator or Authentication Method Policy admin account to update the TAP authentication methods.
You can see above where 'Temporary Access Pass (preview)' is initially set to 'No'.
Enable Temporary Access Pass (TAP)
Alongside this in the 'General' section on the right hand side you will find settings for changing the Min and Max lifetime of the passcode and you want to set 'Require One-time use'
I set this to yes for my own testing here but it may suit to keep it set to 'No' for situations such an initial user login.
One interesting test has been to see what happens during the OOBE setup using Autopilot. Peter Klapwijk wrote a great post on this which you can see at My first experience with Temporary Access Pass during Windows Autopilot enrollment | In The Cloud 247. There he shows the use of TAP when onboarding a new user with a new Windows 10 device.
In my own testing I wondered how this would work with enabling the service after a Windows 10 device had already been enrolled into intune. The device in question was running Windows 20H2 and had been enrolled into Intune using Autopilot. Following the completion for all the configuration I enabled TAP as described above then switched back into Microsoft Endpoint Manger for the same tenant.
Create a Temporary Access Pass for a User
worth noting if its the first time your switching this on for a specific user you may need click the
'Switch to the new Authentication methods Experience.... Banner as shown below.
Then at the top select '+ Add Authentication method' then choose 'Temporary Access Pass (Preview) from the drop down menu.
By default the time duration is set to 1 Hour and the One-time Pass set to 'No'. You can also check the check box to delay the start of the pass which may be useful for new joiners. Here you can set
Once set for my user I logged off my Windows 10 device to bring up the login page. Here I selected the PIN option for login then clicked 'Forgot my PIN' and hey presto Im prompted for an access pass.
#The next test was to check if the timeout for the pass actually works. After waiting the full hour I tried again.
As you can see the One-time pass had already expired.
Back on the Windows 10 device I ran through the same test. Select PIN as my authentication method and choose Forgot PIN. The experience you get is the same where you are prompted to enter a Temporary access pass but when entering the previous pass it fails.
I think there is room for improvement here. The screen should maybe say you 'Do not have a Temporary access pass assigned contact your administrator'. It should at least not provide this option to the user and only be made available when temporary access is available. Overall I like this feature and think it will certainly introduce a quick and easy way of both maintaining security but also making it easier for IT Admins.
What are your thoughts and experiences with TAP. .............Send me your comments.
#Temporaryaccesspass #Intune #Passwordless #Authentication #mem #TAP #MFA #windows #microsoft