So, “Temporary Access Pass (Preview)” just popped out as an available authentication method in my demo tenant, and I figured this was something that needs investigation!
What is Temporary Access Pass?
I have known about this feature for a long time, and suddenly it is publicly available, however documentation is very lacking. Nothing on docs.microsoft.com, nothing on Google – LOVE IT 🙂
Temporary Access Pass is a way for administrators to create a kind of temporary password for user, that expires, that is super useful for onboarding new users and for aiding users resetting their account credentials. The Temporary Access Pass counts as a strong authentication method, allowing you to enroll into MFA, register SSPR etc..
After enabling the Temporary Access Pass feature, how do I create an access pass for a user? Apparently not on the “Add authentication method” screen:
I know that the authentication methods Graph endpoints was recently updated, but I can find no information about Temporary Access Pass here either. Tried a few endpoints just for good measure:
- https://graph.microsoft.com/beta/me/authentication/tapMethods
- https://graph.microsoft.com/beta/me/authentication/accessPassMethods
- https://graph.microsoft.com/beta/me/authentication/temporaryAccessPassMethods – VOILA
So, apparently the endpoint for Temporary Access Pass is /authentication/temporaryAccessPassMethods under users. Now, how do we create an access pass then? What I usually do is check for pending pull requests on GitHub, and guess what I found?
I found this documentation here, showing how to create a new Temporary Access Pass!
Actually, it seems you do not need any parameters at all, as none are required. Let’s try it out:
POST https://graph.microsoft.com/beta/users/5d6b33db-3cba-4bf1-8978-c206b5f41128/authentication/temporaryAccessPassMethods
{}
Access Denied. Probably because I was missing the UserAuthenticationMethod.ReadWrite.All consent:
And would you look at that!
Now let’s try to sign in with the user:
And I’m in!
The authentication method is still not listed under authentication methods in the Azure AD portal:
The user also cannot see the Temporary Access Pass under security info:
So, when will the announcement of the public preview be?
Good find