Getting new users quickly up-and-running with Temporary Access Pass

This week is a little follow-up on a post of a couple of months ago and about connecting pieces of the puzzle. That post was around Temporary Access Pass (TAP). Even though that post was focused on Windows devices, it did provide some hints for using TAP on mobile devices (Android, iOS) also. An often seen and heard challenge is related to getting new user up-and-running. Especially when requiring Multi-Factor Authentication (MFA) for device enrollment, or when trying to work completely passwordless. Those scenarios introduce chicken-and-egg situations as a device must be registered for usage with MFA and the registration requires MFA, or when trying to work passwordless and an authentication method must be registered to be able to work passwordless. So, to get a new user up-and-running a temporary authentication method is required to simplify the user experience. And that’s exactly the challenge that’s addressed with TAP, as TAP provides a time-limited passcode that satisfies the strong authentication requirements. That’s exactly what is needed for those new users to get up-and-running. This post will quickly go through TAP – as that’s been discussed earlier – followed with the required configurations for the mobile platforms, with a focus on corporate-owned devices. This post will end with the user experience.

Important: At the moment of writing, the TAP authentication method is still an Azure AD public preview feature.

Enabling Temporary Access Pass as authentication method

The first configuration is to make sure that TAP is enabled as an authentication method. That authentication method provides users with a time-limited passcode that even satisfies the multi-factor authentication requirement in Conditional Access. That enables users to register their passwordless, or MFA, authentication methods. To enable TAP as an authentication method for users, the IT administrator can enable the TAP authentication method policy. That authentication method policy defines the different settings of TAP, such as the users that can use TAP and the lifetime of TAPs. To enable the TAP authentication method, follow the four steps described below.

  1. Open the Azure portal and navigate to Azure Active Directory Security Authentication methods Policies
  2. On the Authentication methods | Policies blade, select Temporary Access Pass
  3. On the Basics tab of the Temporary Access Pass settings page, provide the following information and click Save
  • ENABLE: Select Yes to enable the use of TAP as an authentication method
  • TARGET: Select All users or select Select users to specify the users that can use TAP as an authentication method
  1. On the Configure tab of the Temporary Access Pass settings page, provide the following information and click Save
  • Minimum lifetime: Specify a value between 10 – 43200 minutes (default: 1 hour) as the minimum lifetime
  • Maximum lifetime: Specify a value between 10 – 43200 minutes (default: 24 hours) as the maximum lifetime
  • Default lifetime: Specify a value between 10 – 43200 minutes (default: 1 hour) as the default lifetime
  • One-Time: Specify true or false (default: false) to define if it can be reused within it’s lifetime
  • Length: Specify a value between 8 – 48 characters (default: 8) as the length

Important: After creating the authentication method policy, don’t forget to add a TAP as an authentication method for the user. That can be achieved by going through the steps that can be found in this post around using TAP.

Note: More configuration details and screenshots can be found in this earlier post around using TAP.

Required configurations for using Temporary Access Pass during Android enrollment

When looking at a new user that receives a corporate-owned Android device, the required configuration is simple. There is no specifically required configuration, besides using Android Enterprise. The enrollment process for corporate-owned devices already relies on modern authentication. That enables the automatic recognition of an available TAP.

Required configurations for using Temporary Access Pass during iOS enrollment

When looking at a new user that receives a corporate-owned iOS device, the required configuration is a bit more challenging. Still no rocket science, but – besides using Automated Device Enrollment – the main challenge is the standard out-of-box-experience with Setup Assistant. The preferred configuration is using Setup Assistant with modern authentication, which is available for iOS/iPadOS 13 and later. That enables the automatic recognition of an available TAP. Setup Assistant with modern authentication can be configured by using an enrollment profile. An enrollment profile can be assigned to devices that are synchronized via ABM to Microsoft Intune. That means that the ADE configuration should be in place. Once that configuration is in place, the following six steps walk through the process of creating the minimal required enrollment profile for iOS/iPadOS devices.

  1. Open the Microsoft Endpoint Manager admin center portal and navigate Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment program tokens > {YourEnrollmentToken} > Profiles
  2. On the {YourEnrollmentToken} | Profiles page, click Create profile > iOS/iPadOS to open the Create profile wizard
  3. On the Basics page, provide the required basic information about the profile and click Next
  4. On the Management Settings page, provide at least the following information in the User Affinity & Authentication Method section and click Next
  • User affinity: Select Enroll with User Affinity as value, as the configuration of the authentication method is only applicable in combination with user affinity
  • Authentication Method: Select Setup Assistant with modern authentication as value, to provide the required modern authentication with the Setup Assistant
  • Install Company Portal with VPP: Select Use Token: {YourToken} as value, to enable the required installation of the Company Portal app without the need for a user to first connect a personal Apple account
  1. On the Setup Assistant page, configure the require Setup Assistant Screens and click Next
  2. On the Review + create page, verify the configuration and click Create

Note: More configuration details and screenshots can be found in this earlier post around using Setup Assistant.

User experience with Temporary Access Pass during device enrollment

Once the required configurations are in place, the rest is Azure AD magic. The user turns on their device and simply walks through the enrollment process by using their email address and TAP. The best part during that process is that the availability of a TAP for the user is automatically recognized after providing their email address. When looking at iOS/iPadOS, the user must provide their email address followed with TAP (as shown in Figure 1) once at the beginning of the enrollment process. When looking at Android, the user must provide their email address followed with TAP twice (as shown in Figure 2 and 3) during the enrollment process. After going through the enrollment process, the device can be used as an authentication method for any further required actions.

Important: For Android devices, a TAP must be available for usage for more than one time.

Note: As an alternative the user can use a personally-owned device to register an additional authentication method or to register the Microsoft Authenticator app, by using TAP.

More information

For more information about Temporary Access Pass and the different device enrollments, refer to the following docs.

2 thoughts on “Getting new users quickly up-and-running with Temporary Access Pass”

  1. Is it possible to use TAP in a scenario where IT is deploying a PC to a new user using Autopilot? The IT tech would use TAP to login/register as the user to the users new laptop to finish any user related configurations?

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.