Introduction #
This setting allows you to enable and configure the Temporary Access Pass (TAP) authentication method for use in Azure Active Directory and Microsoft 365.
What is a temporary access pass? #
A Temporary Access Pass (TAP) is a feature that allows IT departments to set up temporary account access permissions for users. These permissions can be set for a limited amount of time, ranging from 10 minutes to 30 days, with Microsoft’s default limit being one hour. TAPs can be used in a variety of scenarios, such as account recovery when a user has forgotten their password or for out-of-the-box Windows provisioning using the Windows Autopilot service. It is not usable for Self Service Password Reset.
One of the main benefits of TAPs is that they are controlled by the IT department. To use TAPs, the feature must first be enabled in the Azure Portal, which requires having Global Admin or Authentication Policy Admin credentials. Once enabled, the IT department can assign TAPs to specific users and send them as needed.
In summary, TAPs are a useful tool for IT departments looking to provide temporary access to accounts in a controlled and secure manner. They can be used in situations such as account recovery and Windows provisioning, and are easy to set up and manage through the Azure Portal once enabled.
Additional Information #
For more information about Temporary Access Passes refer to Microsoft Documentation
User Impact #
Low
Users will not be impacted by this setting.
Parameters #
Enabled – Yes/No
Specifies whether temporary access pass authentication method should be enabled or disabled.
Minimum Lifetime – Hours (1-8)
Minimum lifetime of a temporary access pass. Must be less than or equal to maximum lifetime.
Maximum Lifetime – Hours (8 – 24)
Maximum life of a temporary access pass. Must be greater than or equal to minimum lifetime.
Default Lifetime – Hours (1 – 24)
Default lifetime of a temporary access pass. Must be great than or equal to minimum life and less than or equal to maximum lifetime.
One-Time Use – Yes/No
Specifies whether a temporary access pass is limited to one-time use.
Length – Characters (8 – 24)
Specifies the character length of the temporary access pass when generated.
Admin Portal Reference #
The Temporary Access Pass authentication method policy can be configured from the Azure Portal.
Azure Active Directory -> Security -> Authentication Methods -> Temporary Access Pass
PowerShell Reference #
PowerShell reference not available.
If Action is set to Notify #
MSPMagic will compare the parameter values against the values configured in the TAP authentication method policy. If they match the setting will report as compliant.
If the parameter values do not match the configured values, the setting will report as non-compliant.
If Action is set to Enforce #
MSPMagic will compare the parameter values against the values configured in the TAP authentication method policy. If they match the setting will report as compliant.
If the parameter values do not match the configured values, MSPMagic will configure the values in the TAP authentication method policy to match the parameter values and report as compliant-fixed.
