{"id":102,"date":"2021-03-09T17:16:06","date_gmt":"2021-03-09T17:16:06","guid":{"rendered":"http:\/\/move2modern.uk\/?p=102"},"modified":"2023-01-04T13:24:55","modified_gmt":"2023-01-04T13:24:55","slug":"how-to-setup-temporary-access-pass-with-intune","status":"publish","type":"post","link":"https:\/\/move2modern.uk\/index.php\/2021\/03\/09\/how-to-setup-temporary-access-pass-with-intune\/","title":{"rendered":"<a href=\"https:\/\/move2modern.weebly.com\/blog-posts\/what-is-temporary-access-pass-tap\">How to setup\u00a0 Temporary Access Pass with Intune<\/a>"},"content":{"rendered":"\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe title=\"Bitesize - Setup Temporary Access Pass authentication with Microsoft Intune\" width=\"810\" height=\"456\" src=\"https:\/\/www.youtube.com\/embed\/vf9pX0_ukPs?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p>If you\u2019re like me you may have seen a few blog posts coming out around Temporary Access Pass or TAP recently. Anything around passwords grabs my attention so thought this would be a good opportunity to find out a bit more about it. As I work within the Modern desktop area I wanted to add a slightly different view of this and see how it integrates with Microsoft Endpoint Manager (MEM).<\/p>\n\n\n\n<p>To give a little context to this feature, I have personally witnessed an increased interest from companies over the last year wanting to implement Passwordless authentication with Windows Hello for Business being a common option. &nbsp;TAP introduces a new Passwordless method to the stack to sit alongside Azure AD multi-factor authentication helping the cause to dump our passwords. Microsoft announced at Ignite 20201 they are making Passwordless login a standard feature for their cloud based Active directory.<br>The drive to introduce these methods is backed by Microsoft\u2019s research which&nbsp;shows that most cyber attacks start with a compromised user name or password. While you can try and counter this by enforcing Long or complex passwords as well as MFA this generally frustrates end users and can increase support costs.&nbsp;&nbsp;<\/p>\n\n\n\n<p>\u200bThe premise for Passwordless authentication is:<\/p>\n\n\n\n<p>\u201c<em>With passwordless, the password is replaced with something you have plus something you are or something you know. For example, Windows Hello for Business can use a biometric gesture like a face or fingerprint, or a device-specific PIN that isn\u2019t transmitted over a network.<\/em>\u201d \u2013 Microsoft Quote.<br>Microsoft are looking to emphasize the importance of introducing stronger but also simpler methods of authentication.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/move2modern.weebly.com\/uploads\/1\/3\/6\/3\/136382350\/editor\/hierarchy-passwords.png?1618153631\" alt=\"Picture\"\/><\/figure>\n\n\n\n<p>Diagram provided by Microsoft:&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/authentication\/concept-authentication-methods\">Authentication methods and features \u2013 Azure Active Directory | Microsoft Docs<\/a><br>\u200bPasswordless authentication can already be configured with the following methods:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Windows Hello for Business<\/li>\n\n\n\n<li>Security key sign-ins using FIDO2 security keys or<\/li>\n\n\n\n<li>Phone sign-in with the Microsoft Authenticator App<\/li>\n<\/ul>\n\n\n\n<p>\u200bTAP becomes useful however in providing access for users when enrolling with new services without generating a password. This can be created by using a REST-API but a more user friendly setup and the one will show here is by using the User interface within Azure Portal and MEM. IT Admins are required to setup a One-time, short term login code which is provided to end users either as part of their initial login or when they need to recover account access as a result of loosing a phone or security key used for authentication. By navigating to&nbsp;<a href=\"https:\/\/aka.ms\/mysecurityinfo\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/aka.ms\/mysecurityinfo<\/a>&nbsp;the user can easily use the assigned code to login and change their authentication methods such as changing their registered phone and number and therefore reducing the security risk.\u200b<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/move2modern.weebly.com\/uploads\/1\/3\/6\/3\/136382350\/editor\/passwordless-login-box.png?1615321587\" alt=\"Picture\"\/><\/figure>\n\n\n\n<p>So how is this setup\u2026\u2026..<br>Well keep in mind this is in preview still and the options could change. The service is also disabled by default however I do see the benefit of enabling out of the box. To enable the service you have to login to the Azure portal (https:\/\/portal.azure.com) and choose some initial settings as shown below. You will need to login with either a Global Administrator or Authentication Method Policy admin account to update the TAP authentication methods.<\/p>\n\n\n\n<p>\u200b<\/p>\n\n\n\n<p>\u200b<br>\u200bYou can see above where \u2018Temporary Access Pass (preview)\u2019&nbsp; is initially set to \u2018No\u2019.<\/p>\n\n\n\n<p><strong><u>Enable Temporary Access Pass (TAP)<br>\u200b<\/u><\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Sign-in to your Azure portal<\/li>\n\n\n\n<li>Navigate to&nbsp;<strong>Security&nbsp;<\/strong>then&nbsp;<strong>choose Authentication methods<\/strong><\/li>\n\n\n\n<li>\u200bSelect&nbsp;<strong>Temporary Access Pass (Preview)<\/strong><\/li>\n\n\n\n<li>This will open up the details section below.&nbsp;<\/li>\n\n\n\n<li>Switch&nbsp;<strong>Enable&nbsp;<\/strong>to \u2018Yes\u2019<\/li>\n\n\n\n<li>Set the&nbsp;<strong>Target&nbsp;<\/strong>setting to \u2018All users\u2019<\/li>\n\n\n\n<li>Click&nbsp;<strong>Save<\/strong><\/li>\n<\/ul>\n\n\n\n<p>Alongside this in the \u2018<strong>General<\/strong>\u2018 section on the right hand side you will find settings for changing the Min and Max lifetime of the passcode and you want to set&nbsp; \u2018<strong>Require One-time use<\/strong>\u2018&nbsp;&nbsp;<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>I set this to yes for my own testing here but it may suit to keep it set to \u2018No\u2019 for situations such an initial user login.<\/p>\n\n\n\n<p>One interesting test has been to see what happens during the OOBE setup using Autopilot. Peter Klapwijk wrote a great post on this which you can see at&nbsp;<a href=\"https:\/\/www.inthecloud247.com\/my-first-experience-with-temporary-access-pass-during-windows-autopilot-enrollment\/\">My first experience with Temporary Access Pass during Windows Autopilot enrollment | In The Cloud 247<\/a>. There he shows the use of TAP when onboarding a new user with a new Windows 10 device.<\/p>\n\n\n\n<p>In my own testing I wondered how this would work with enabling the service after a Windows 10 device had already been enrolled into intune. The device in question was running Windows 20H2 and had been enrolled into Intune using Autopilot. Following the completion for all the configuration I enabled TAP as described above then switched back into Microsoft Endpoint Manger for the same tenant.<\/p>\n\n\n\n<p><strong>Create a Temporary Access Pass for a User<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Login to Microsoft Endpoint Manager (https:\/\/endpoint.microsoft.com)<\/li>\n\n\n\n<li>Open Users<\/li>\n\n\n\n<li>select a user<\/li>\n\n\n\n<li>Choose&nbsp;<strong>Authentication methods<\/strong>&nbsp;on the menu<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>worth noting if its the first time your switching this on for a specific user you may need click the<br>\u2018Switch to the new Authentication&nbsp;methods Experience\u2026. Banner as shown below.<br>\u200b<br>Then at the top select \u2018+ Add Authentication&nbsp;method\u2019 then choose \u2018Temporary Access Pass (Preview) from the drop down menu.<br>By default the time duration is set to 1 Hour and the One-time Pass set to \u2018No\u2019. You can also check the check box to delay the start of the pass which may be useful for new joiners. Here you can set<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The start date<\/li>\n\n\n\n<li>Time&nbsp;<\/li>\n\n\n\n<li>Timezone<\/li>\n<\/ul>\n\n\n\n<p>Once set for my user I logged off my Windows 10 device to bring up the login page. Here I selected the PIN option for login then clicked \u2018Forgot my PIN\u2019 and hey presto Im prompted for an access pass.\u200b<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>&nbsp;#The next test was to check if the timeout for the pass actually works. After waiting the full hour I tried again.<br>As you can see the One-time pass had already expired.<\/p>\n\n\n\n<p>Back on the Windows 10 device I ran through the same test. Select PIN as my authentication method and choose Forgot PIN. The experience you get is the same where you are prompted to enter a Temporary access pass but when entering the previous pass it fails.<br>I think there is room for improvement here. The screen should maybe say you \u2018Do not have a Temporary access pass assigned contact your administrator\u2019. It should at least not provide this option to the user and only be made available when temporary access is available. Overall I like this feature and think it will certainly introduce a quick and easy way of both maintaining security but also making it easier for IT Admins.<\/p>\n\n\n\n<p>\u200bWhat are your thoughts and experiences with TAP. \u2026\u2026\u2026\u2026.Send me your comments.<\/p>\n\n\n\n<p><strong>Tags<\/strong><br>#Temporaryaccesspass #Intune #Passwordless #Authentication #mem #TAP #MFA #windows #microsoft<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you\u2019re like me you may have seen a few blog posts coming out around Temporary Access Pass or TAP<\/p>\n","protected":false},"author":1,"featured_media":159,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"footnotes":""},"categories":[19,3,17],"tags":[],"class_list":["post-102","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud-management-community","category-intune","category-youtube"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/posts\/102","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/comments?post=102"}],"version-history":[{"count":1,"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/posts\/102\/revisions"}],"predecessor-version":[{"id":103,"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/posts\/102\/revisions\/103"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/media\/159"}],"wp:attachment":[{"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/media?parent=102"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/categories?post=102"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/tags?post=102"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}