Microsoft adds support for temporary passcodes to Azure AD

Users can now issue time-limited passcodes through Azure Active Directory (Azure AD), which can be utilised to register new passwordless authentication mechanisms, during Windows onboarding, or to more easily recover accounts after missing credentials or FIDO2 keys.

After turning on TAP in the Azure portal’s Azure AD authentication method policy, users can register authentication details (either signing up for the first time or configuring a device) using what Microsoft refers to as a Temporary Access Pass (TAP).

Microsoft adds support for temporary passcodes to Azure AD

Certain roles, such as Global, Privileged Authentication, and Authentication administrators, have the ability to create and delete TAPs.

Administrators can define their lifetime ranging between 10 minutes and 30 days, set the default lifespan, decide to give one-time passcodes, and choose the passcode length when modifying the auth method policy to switch on time-limited access pass.

This Microsoft Docs support article provides thorough instructions on how to generate, use, and delete temporary passcodes for Azure AD.

“Temporary access pass can be used to securely register passwordless methods such as phone sign-in, phishing resistant methods like FIDO2, and can even assist in Windows onboarding (Azure AD Join and Windows Hello for Business),” Microsoft said.

“Temporary access pass makes recovery easier when you have lost or forgotten your strong authentication methods and need to sign in to register new authentication methods.”

Redmond announced two months ago that all current Azure Active Directory (Azure AD) tenants would begin receiving more secure default settings in June.

After authorizing security defaults for 60,000 new tenants in January 2020, the announcement was made. According to Microsoft, more than 30 million enterprises worldwide are now secured by security defaults that impose contemporary authentication standards, such as passwordless sign-ins and multifactor authentication, two years after they were introduced.

“When complete, this rollout will protect an additional 60 million accounts (roughly the population of the United Kingdom!) from the most common identity attacks,” explained Alex Weinert, Director of Identity Security at Microsoft.

Anyone who doesn’t want security defaults activated for their businesses can quickly turn them off via the Azure Active Directory properties or the Microsoft 365 admin centre.

In spite of this, Weinert claims that MFA stops over 99.9% of account compromise assaults and that firms with security defaults have 80% fewer breaches.

To put things in perspective, Microsoft also said in February that users of Office 365 and Azure AD had been the target of billions of phishing emails and brute-force attacks, with the attempts becoming substantially more difficult when MFA and passwordless authentication are enabled.