Temporary Access Passwords in Azure AD provide the end-user a passcode that is only usable for a limited specified time. They can be configured for multi-use or single-use to allow users to set a permanent password, onboard additional security methods or configure password-less authentication.
They can also be used if a user looses their strong authentication method such as their mobile phone (for the Microsoft Authenticator app) or a hardware token such as a FIDO2 security key.
In this post I am going to show you how you can setup temporary access passwords in Azure AD to facilitate the above scenarios.
Enable the use of Temporary Access Passwords in Azure AD
2. From the left-hand menu, under Manage select Security.
3. Once you are on the security page, from the left-hand menu, select Authentication methods.
4. On the Policies tab, select Temporary Access Pass from the list of methods.
5. On the Basics tab you have the option to Enable the policy. It will advise you on this page that it is to be used for onboarding and recovery purposes. You can also target specific users, for example a group for newly created user accounts that need distributing or a group of users that use hardware token authentication methods which are easily lost.
6. The configure tab will allow you to define settings for your policy. Let me explain… When an administrator goes to create a temporary access password, they can define the life-time of the password between the minimum and maximum values you set on this screen. For example, for a new user account you may want to choose 8 hours, as you are unsure at what point of the onboarding day, the user will be shown how to login to their account by their line manager. On the other hand, a support engineer may want to issue a password of only 10 minutes for a user who needs to quickly login and update their password or authentication method.
7. Once you have configured your settings, click Update then Save. The method will now show as Enabled in the list.
How to create a temporary access password for a user
2. From the left-hand method, select Authentication methods.
3. You may see the following notification: “Switch to the new user authentication methods experience! Click here to use it now“. Click the button to update the screen.
4. The window will update and you will presented with the new look. Click Add authentication method.
5. A window will appear from the left with the heading Add authentication method. From the drop down box select Temporary Access Pass. Here you can choose a delayed start time for user onboardings and you can set the duration within the limits you defined in the policy.
6. Once you click Add, you will be presented with the temporary password, the link the user must go to, to reset their security info and also the dates of which the pass is valid.
The user experience when using their temporary access pass
1. To use their temporary access pass the user must first go to: aka.ms/mysecurityinfo and enter their username.
2. When the temporary access password is valid and ONLY when the password is valid, they will be prompted to enter it.
You should know that if they still have the MFA or password-less authentication methods configured on their account, they will be prompted for them once the password is entered. In this case, you should delete the authentication methods from the users account.
3. The user will now be prompted to go through the common Multi-Factor authentication registration experience.