Pages

Testing out Temporary Access Pass (TAP)

Microsoft's definitive guide

Create an Entra group, and enable TAP for this group only

Create a TAP using MG PowerShell:


$properties = @{}
$properties.isUsableOnce = $True
$properties.startDateTime = '2022-05-23 06:00:00' #-- Manually set a starting date/time, but more convenient to use the line below
$properties.startDateTime = (Get-Date).ToString()
$propertiesJSON = $properties | ConvertTo-Json
New-MgUserAuthenticationTemporaryAccessPassMethod -UserId testuser@somedomain.onmicrosoft.com -BodyParameter $propertiesJSON

Id       CreatedDateTime     IsUsable IsUsableOnce LifetimeInMinutes MethodUsabilityReason StartDateTime       TemporaryAccessPass
--       ---------------     -------- ------------ ----------------- --------------------- -------------       -------------------
8a337... 6/4/2025 5:10:59 PM True     True         60                EnabledByPolicy       6/4/2025 5:10:58 PM au-mAh&X

Test this for a new account to create a phishing-resistant MFA

  • Go to https://aka.ms/mysecurityinfo and login as this user using the temp pass.
  • It presented the prompt to use a temporary access pass
  • It then went to https://mysignins.microsoft.com/security-info, and tried to add a new sign-in method but got an error.

I have MFA enabled for all users, so I suspect this new account had MFA disabled itself, so going to both the GUI and PowerShell did show that.


$u = Get-MgUser -UserId testuser@somedomain.onmicrosoft.com
$userid = $u.Id
Invoke-MgGraphRequest -Method GET -Uri "/beta/users/$userid/authentication/requirements"

Name                           Value
----                           -----
@odata.context                 https://graph.microsoft.com/beta/$metadata#users('ee85081c...')/authentication/requirements
perUserMfaState                disabled

Let's enable it with MG PowerShell...


$body = @{"perUserMfaState" = "enabled"}
Invoke-MgGraphRequest -Method PATCH -Uri "/beta/users/$userid/authentication/requirements" -Body $body
Invoke-MgGraphRequest -Method GET -Uri "/beta/users/$userid/authentication/requirements"

Name                           Value
----                           -----
@odata.context                 https://graph.microsoft.com/beta/$metadata#users('ee85081c...')/authentication/requirements
perUserMfaState                enabled

My user session timed out though, and since I had a one-time use TAP I had to create a new one but this time I set this propert $properties.isUsableOnce = $false so I can reuse it, just in case. Now I can add a new sign-in method, and unlike username/password that required 2 steps (first create an MFA, then create the passkey/FIDO2), here I can go directly to creating a passkey/security key.

And after logging out from this user account, I can login using the newly created security key, without ever knowing or using the account password. PowerShell shows the same set of methods as well:


Get-MgUserAuthenticationMethod -UserId testuser@somedomain.onmicrosoft.com | ForEach-Object {Write-Host $_.AdditionalProperties["@odata.type"]}
#microsoft.graph.passwordAuthenticationMethod 
#microsoft.graph.temporaryAccessPassAuthenticationMethod 
#microsoft.graph.fido2AuthenticationMethod

No comments:

Post a Comment

Subscribe to: Posts (Atom)