How to Setup Temporary Access Passwords in Azure AD

  • Post author:
  • Post category:Microsoft Entra
  • Post last modified:April 27, 2024
  • Reading time:6 mins read

Temporary Access Passwords in Azure AD provide the end-user a passcode that is only usable for a limited specified time. They can be configured for multi-use or single-use to allow users to set a permanent password, onboard additional security methods or configure password-less authentication. 

They can also be used if a user looses their strong authentication method such as their mobile phone (for the Microsoft Authenticator app) or a hardware token such as a FIDO2 security key.

In this post I am going to show you how you can setup temporary access passwords in Azure AD to facilitate the above scenarios.

Enable the use of Temporary Access Passwords in Azure AD

1. Start by logging into the Azure Active Directory Administrator Portal with your global admin credentials.

2. From the left-hand menu, under Manage select Security.

Temporary Access Passwords Security

3. Once you are on the security page, from the left-hand menu, select Authentication methods.

4. On the Policies tab, select Temporary Access Pass from the list of methods.

5.  On the Basics tab you have the option to Enable the policy. It will advise you on this page that it is to be used for onboarding and recovery purposes. You can also target specific users, for example a group for newly created user accounts that need distributing or a group of users that use hardware token authentication methods which are easily lost.

6. The configure tab will allow you to define settings for your policy. Let me explain… When an administrator goes to create a temporary access password, they can define the life-time of the password between the minimum and maximum values you set on this screen. For example, for a new user account you may want to choose 8 hours, as you are unsure at what point of the onboarding day, the user will be shown how to login to their account by their line manager. On the other hand, a support engineer may want to issue a password of only 10 minutes for a user who needs to quickly login and update their password or authentication method.

Temporary Access Passwords configure

7. Once you have configured your settings, click Update then Save. The method will now show as Enabled in the list.

Temporary Access Passwords enabled

How to create a temporary access password for a user

1. In the Azure Active Directory Admin portal, Go to Users and select your user from the list.

2. From the left-hand method, select Authentication methods.

Temporary Access Passwords auth methods

3. You may see the following notification: “Switch to the new user authentication methods experience! Click here to use it now“. Click the button to update the screen.

4. The window will update and you will presented with the new look. Click Add authentication method.

5. A window will appear from the left with the heading Add authentication method. From the drop down box select Temporary Access Pass. Here you can choose a delayed start time for user onboardings and you can set the duration within the limits you defined in the policy.

Temporary Access Passwords add method

6. Once you click Add, you will be presented with the temporary password, the link the user must go to, to reset their security info and also the dates of which the pass is valid.

The user experience when using their temporary access pass

1. To use their temporary access pass the user must first go to: aka.ms/mysecurityinfo and enter their username.

2. When the temporary access password is valid and ONLY when the password is valid, they will be prompted to enter it. 

Temporary Access Passwords enter temp pass

You should know that if they still have the MFA or password-less authentication methods configured on their account, they will be prompted for them once the password is entered. In this case, you should delete the authentication methods from the users account.

Temporary Access Passwords delete methods

3. The user will now be prompted to go through the common Multi-Factor authentication registration experience.

Leave a Reply