Azure Temporary Access Pass Configuration and Management

Azure Temporary Access Pass is a secure and convenient way to grant temporary access to Azure resources. It's like a virtual key that allows users to access specific resources for a limited time.

To configure and manage Azure Temporary Access Pass, you'll need to understand the basics of Azure Active Directory (AAD) and Azure role-based access control (RBAC). AAD is the authentication and authorization system for Azure, while RBAC determines what actions users can perform on Azure resources.

Azure Temporary Access Pass relies on AAD to authenticate users and RBAC to determine their access permissions. This ensures that users only have access to the resources they need to perform their tasks.

You can create a Temporary Access Pass in the Azure portal, which is the web-based interface for managing Azure resources. The portal provides a user-friendly interface for creating, managing, and revoking Temporary Access Passes.

Azure TAP, or Azure Temporary Access Pass, is a program that allows you to access Microsoft Azure services for free.

It's designed for network service providers, content delivery networks, and other organizations that need to test and validate their services with Azure.

Azure TAP provides a high-speed, dedicated connection to Azure, which is typically 10 Gbps or higher.

This connection is usually provided through a Microsoft-appointed network service provider.

Azure TAP is often used to test and validate network performance, security, and other aspects of Azure services.

It's also used to test and validate the performance of applications and services that run on Azure.

Azure TAP is typically used for a short period of time, usually up to 90 days.

After the 90-day period, you'll need to reapply for access to Azure TAP.

To create a Temporary Access Pass, you can use the Azure portal, which is the easiest way to do so. You'll need to search for your user in the users' section, select the Authentication methods page, and make sure you're using the new experience.

Those assigned the Privileged Authentication Administrator role can create, delete, and view a TAP for admins and members, except themselves. Authentication Administrators can create, delete, and view a TAP for members, except themselves. Global Readers can view TAP details for the user, without reading the code itself.

To create a TAP, sign into the Microsoft Entra admin center as at least an Authentication Administrator. Browse to Identity > Users, select the user you want to create a TAP for, and select Authentication methods and click Add authentication method.

You can create a TAP for any user, but only users included in the policy can sign in with it. Those with at least the Authentication Policy Administrator role can update the TAP authentication method policy.

The following settings can be configured in the TAP authentication method policy: Minimum lifetime (default 1 hour, 10-43,200 minutes), Maximum lifetime (default 8 hours, 10-43,200 minutes), Default lifetime (default 1 hour, 10-43,200 minutes), One-time use (default False), and Length (default 8, 8-48 characters).

To enable the Temporary Access Pass feature, you need the Global administrator Role in Azure AD. Login to the Azure AD portal, search for “Azure AD Authentication Methods,” and open the blade. Click on the link for “Temporary Access Pass” and toggle the “Enable” switch.

The most common use for a TAP is for a user to register authentication details during the first sign-in or device setup, without the need to complete extra security prompts. Users can enter the TAP at https://aka.ms/mysecurityinfo, enter their UPN, and enter the TAP displayed in the Microsoft Entra admin center.

To enable the Temporary Access Pass policy, you need to be at least an Authentication Policy Administrator. This role allows you to update the TAP authentication method policy.

The policy defines settings such as the lifetime of passes created in the tenant or the users and groups who can use a TAP to sign-in. You can configure the policy by enabling it and selecting users to include or exclude from the policy.

To configure the policy, browse to Protection > Authentication methods > Policies and select Temporary Access Pass. Click Enable and then select users to include or exclude from the policy. You can also modify the default Temporary Access Pass settings, such as setting maximum lifetime or length.

The default value and range of allowed values for the policy settings are as follows:

To enable the policy, you need to sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator. This role grants you the necessary permissions to update the policy.

You can browse to Protection > Authentication methods > Policies, and from the list of available authentication methods, select Temporary Access Pass. Click Enable and then select users to include or exclude from the policy.

The default value and the range of allowed values for the policy settings are as follows:

After configuring the policy, select Save to apply the policy and make the Temporary Access Pass available for users.

A TAP can't be used with the Network Policy Server (NPS) extension and Active Directory Federation Services (AD FS) adapter.

There are some limitations to keep in mind when using a Temporary Access Pass (TAP) with Azure AD connector accounts.

Users in scope for self-service password reset (SSPR) registration policy or Microsoft Entra ID Protection multifactor authentication registration policy are required to register authentication methods after they've signed in with a TAP using a browser.

A one-time TAP to register a passwordless method such as a FIDO2 security key or phone sign-in has a 10-minute time limit. The user must complete the registration within this timeframe.

Users in scope for SSPR registration policy or Microsoft Entra ID Protection multifactor authentication registration policy are redirected to the Interrupt mode of the combined registration. This experience doesn't currently support FIDO2 and phone sign-in registration.

It can take a few minutes for changes to replicate. Because of this, after a TAP is added to an account, it can take a while for the prompt to appear. For the same reason, after a TAP expires, users may still see a prompt for TAP.

Here are some key limitations to keep in mind:

If a TAP isn't offered to a user during sign-in, it's likely due to a configuration issue or a problem with the user's account.

To troubleshoot, check if Temporary Access Pass sign in was blocked due to User Credential Policy appears during sign-in with a TAP.

Here are some common issues and their solutions:

By following these steps, you should be able to resolve any issues related to TAP security and troubleshooting.

Troubleshooting Azure TAP can be a challenge, but don't worry, I've got you covered. If a TAP isn't offered to a user during sign-in, it's likely because the policy isn't enabled.

If Temporary Access Pass sign in was blocked due to User Credential Policy appears during sign-in with a TAP, it's probably because the user isn't in scope for the TAP policy. Make sure the user is included in the policy's scope to resolve the issue.

Here are some common troubleshooting scenarios:

To resolve the issue, check that the user is in scope for the TAP policy. If they're not, add them to the policy's scope and try again.

High-privileged role administrators can use a Temporary Access Pass (TAP) to gain unauthorized access to Azure AD connector accounts.

This is particularly concerning because AAD connector accounts are often used for critical tasks, and unauthorized access can have significant security implications.

If an attacker gains access to an unprotected Azure AD Connect server, they can access the AADC database and potentially exfiltrate sensitive information.

In fact, if an attacker has local admin permissions on the AADC server, they can even exfiltrate passwords of Azure AD connector accounts in clear text.

A compromised high-privileged account or service account can use a TAP to create a backdoor on the "On-Premises Directory Synchronization Service Account".

Members of the "Hybrid Identity Administrator" role have extensive management permissions for service principals and app registrations in Azure AD, which can be exploited by attackers.

Here are some attack scenarios to be aware of:

Microsoft has made it easy to register Yubikeys with Microsoft Entra ID FIDO2 provisioning APIs. This allows users to securely authenticate with their Yubikeys without needing to remember passwords.

You can register Yubikeys on behalf of your users using these APIs, streamlining the authentication process. Microsoft recently announced their new FIDO2 provisioning APIs within Microsoft Entra ID, making this process more accessible.

Temporary Access Passes can also be used to register FIDO2 keys, but using Microsoft Entra ID FIDO2 provisioning APIs provides a more secure and efficient solution.