Microsoft's Temporary Access Pass Now Deemed Ready for Orgs

Microsoft this week announced that a Temporary Access Pass capability in the Azure Portal is now at the "general availability" commercial-release stage.

Temporary Access Pass lets IT departments set up account access permissions that are available to users for a limited amount of time, ranging from 10 minutes to 30 days. Microsoft's default limit is one hour.

Use Cases
Organizations may want to use a Temporary Access Pass in cases where account recovery is needed for a user, who maybe forgets a password.

However, the Temporary Access Pass also can be used as a bridge approach as organizations shift toward passwordless options, such as FIDO2 methods (such as cards or key fobs) or Microsoft's Windows Hello biometric authentication.

The Temporary Access Pass even can be helpful when a user loses a FIDO-based security key, according to a Microsoft document.

A Temporary Access Pass also makes recovery easier when a user has lost or forgotten their strong authentication factor like a FIDO2 security key or Microsoft Authenticator app, but needs to sign in to register new strong authentication methods.

Yet another use case for Temporary Access Passes is to use them for out-of-the-box Windows provisioning. It'll work with the Windows Autopilot service, which is used for user self-service set ups of new Windows machines, for instance.

IT Controls
Besides being time limited, a Temporary Access Pass is controlled by the IT department.

First, the department needs to enable the feature in the Azure Portal, which requires having Global Admin or Authentication Policy Admin credentials. Next, the Temporary Access Pass needs to be assigned to a particular user by the IT department before it gets sent.

Users typically access the Temporary Access Pass using a browser via Microsoft's security portal (

IT departments can delete Temporary Access Passes that have expired. They can also issue new ones to override Temporary Access Passes that were previously sent. It's also possible to use Microsoft Graph APIs to add a Temporary Access Pass into "your existing applications or your HR driven provisioning process," the announcement explained.

Microsoft's document also hinted that Temporary Access Passes represent a better approach for organizations using federation, where the authentication happens on an organization's infrastructure.

"For federated domains, a Temporary Access Pass is preferred over federation," the document indicated in a note. "A user with a Temporary Access Pass will complete the authentication in Azure AD and will not get redirected to the federated Identity Provider (IdP)."

On top of the Temporary Access Pass approach, Microsoft has another seemingly similar method, called "one-time passcode," but it's just for use with the Azure AD B2B (Business to Business) service. The one-time passcode capability, released last year, works by sending e-mail invitations containing a temporary password.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube