MSP Automator

Technical and Operational Content for MSPs and IT – No ads, no sponsors, no bullshit.

PowerShell Quick Script: Temporary Access Pass

Azure is really cool. Like, really cool.

It can be really hard for MSPs to keep up with the flurry of technologies Microsoft blasts out at an insane pace. Unless you have the time, mandate, or the raw interest, keeping on the cutting edge of the Azure ecosystem can be a full time job in itself. At the same time, failing to constantly identify ways to improve your processes, workflows, and technology stack will absolutely come back to screw you later. There’s massive amounts of gains to be made at most MSPs with relatively low hanging fruit and minimal time investment. This series of articles will explore quick-to-implement features that you may not know about and how to deploy and use them in your client environments. Today we look at the Temporary Access Pass.

Temporary Access Pass? That just sounds like a password with extra steps.

Well, yes. But also, no? User onboarding automations of all varieties kind of break down and stop being automations at the point where you have to return data to a real person to do something. Typically, this is returning temporary credentials securely to an HR department to distribute to a user on their first day. This process itself is not particularly complicated or troublesome. Users can sign in with the temporary credentials, set up MFA and SSPR, and be off to the races. Most organizations pre-provision access for employees days to weeks in advance so they have a populated calendar and mailbox when they start. This presents a couple of interesting issues:

  1. Unless you build automation to activate or unblock login on the users first morning, the account will be sitting in a raw state of “ready to enroll MFA.” An account sitting days or weeks with effectively no MFA protection is not an acceptable risk for any organization. Start dates might get moved around and that’s too tedious to maintain.
  2. Credentials can get lost or expire out in the interim time, generating another ticket during onboarding.
  3. This method isn’t usually conducive to passwordless setup, which is becoming increasingly common.
  4. Recovery of MFA can be annoying.

Our Microsoft overlords heard our plea for a better way and released the Temporary Access Pass into public preview earlier this year. It went GA at the end of June.

“A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello. A Temporary Access Pass also makes recovery easier when a user has lost or forgotten their strong authentication factor like a FIDO2 security key or Microsoft Authenticator app, but needs to sign in to register new strong authentication methods.”

Read how to turn on and configure the Temporary Access Pass authentication method for your client tenants here.

Another Onboarding Article? Really?

Okay, valid. But hear me out. This is the best thing since sliced bread. The possibilities are endless and the automation ideas cup overfloweth. TAPs offer some great features.

  1. Ability to delay start of credential activation. Take the requested onboarding date from your automation and set your TAP to activate the morning of the user starting.
  2. Bootstrapping passwordless authentication onboarding with FIDO2 tokens, Windows Hello, or the Microsoft Authenticator.
  3. MFA recovery
  4. If you use PowerShell Universal, you could call this code snippet from a REST API or via webhook to integrate into your PSA or other tooling.

Really, the list goes on. I promised this article would be quick, so lets get to the sauce. I made a little example tool using PowerShell Universal that my team can use for MFA reset. I use an App Registration with Multitenant CSP Privileges registered in each tenant (read/write authentication methods, check out Graph Explorer for more).

	[parameter(Mandatory = $true)]
	[parameter(Mandatory = $true)]

Import-Module Microsoft.Graph.Identity.SignIns
Import-Module MSAL.PS

$dateformat = 'yyyy-MM-dd HH:mm:ss'
$UserStartDate = $StartDate | Get-Date -Format $dateformat #Convert whatever date we got into a format we can use

$MsalToken = Get-MsalToken -TenantId $Secret:CSPTenantID -ClientId $Secret:CSPAppID -ClientSecret ($Secret:CSPSecret | ConvertTo-SecureString -AsPlainText -Force)

#Connect to Graph using access token
	Connect-Graph -AccessToken $MsalToken.AccessToken
	Write-Host $_.Exception.Message

# Create a Temporary Access Pass for a user
$properties = @{ }
$properties.isUsableOnce = $True
$properties.startDateTime = $UserStartDate
$properties.LifetimeInMinutes = 480 #this will fall back to whatever your maximum lifetime configured in AzureAD is if you try to set it too high 
$propertiesJSON = $properties | ConvertTo-Json

New-MgUserAuthenticationTemporaryAccessPassMethod -UserId $UserPrincipalName -BodyParameter $propertiesJSON | select TemporaryAccessPass,StartDateTime,LifetimeInMinutes
Powershell Universal is some cool shit


I want to leave you with some resources to further your journey down the AzureAD authentication method rabbit hole. With TAP, SSPR, Microsoft Authenticator, and Passwordless sign in, you can create a robust and user friendly cloud identity platform that doesn’t compromise on security.

Further Recommended Reading

  1. Nudge users to set up Microsoft Authenticator
  2. Enable passwordless sign-in with Microsoft Authenticator
  3. Combined security information registration for Azure Active Directory overview
  4. How to run a registration campaign to set up Microsoft Authenticator

Comments (