Controlling how and when users register for Multi-Factor Authentication (MFA) or Sel-Service Password Reset (SSPR) is crucial for managed security for Microsoft 365. Microsoft Entra’s Conditional Access Policy offers an innovative approach to strengthening your cybersecurity for Microsoft cloud environment.
This functionality allows organizations to manage the registration process as they would any application in a Conditional Access Policy, leveraging the full capabilities of Conditional Access to secure the experience. Users who sign in to the Microsoft Authenticator app or enable passwordless phone sign-in are governed by this policy.
With the addition of Temporary Access Pass (TAP) in Microsoft Entra ID, administrators can provide time-limited credentials to their users that allow them to register from any device or location. TAP credentials satisfy Conditional Access requirements for multifactor authentication.
Create a Policy to Secure Registration
The following policy applies to users attempting to register using the combined registration experience. The policy requires users to be in a trusted network location, perform multifactor authentication, or use Temporary Access Pass credentials.
Sign in to the Microsoft Entra admin center as a Conditional Access Administrator.
Browse to Protection > Conditional Access.
Select Create new policy.
In Name, enter a name for this policy, e.g., Combined Security Info Registration with TAP.
Under Assignments, select Users or workload identities.
Under Include, select All users.
Under Exclude:
Select All guest and external users.
Select Directory roles and choose Global Administrator.
Select Users and groups and choose your organization's emergency access or break-glass accounts.
Under Target resources > User actions, check Register security information.
Under Conditions > Locations:
Set Configure to Yes.
Include Any location.
Exclude All trusted locations.
Under Access controls > Grant:
Select Grant access, Require multifactor authentication.
Click Select.
Confirm your settings and set Enable policy to Report-only.
Select Create to enable your policy.
After confirming the settings in report-only mode, administrators should switch the "Enable policy" toggle from Report-only to On. Administrators must issue Temporary Access Pass credentials to new users to satisfy multifactor authentication requirements for registration.
Organizations may choose to require other grant controls in addition to or instead of Require multifactor authentication at step 8a. When selecting multiple controls, ensure to select the appropriate radio button toggle to require all or one of the selected controls.
Guest User Registration
For guest users needing to register for multifactor authentication in your directory, you may choose to block registration from outside trusted network locations using the following guide:
Sign in to the Microsoft Entra admin center as a Conditional Access Administrator.
Browse to Protection > Conditional Access.
Select Create new policy.
In Name, enter a name for this policy, e.g., Combined Security Info Registration on Trusted Networks.
Under Assignments, select Users or workload identities.
Under Include, select All guest and external users.
Under Target resources > User actions, check Register security information.
Under Conditions > Locations:
Configure Yes.
Include Any location.
Exclude All trusted locations.
Under Access controls > Grant:
Select Block access
Click Select.
Confirm your settings and set Enable policy to Report-only.
Select Create to enable your policy.
After confirming the settings in report-only mode, administrators should switch the Enable policy toggle from Report-only to On.
Create a Temporary Access Pass
After you enable a policy, you can create a Temporary Access Pass for a user in Microsoft Entra ID. The following roles can perform actions related to a Temporary Access Pass in Microsoft Entra ID:
Global Administrators can create, delete, and view a Temporary Access Pass on any user (except themselves),
Privileged Authentication Administrators can create, delete, and view a Temporary Access Pass on admins and members (except themselves),
Authentication Administrators can create, delete, and view a Temporary Access Pass on members (except themselves),
Global Reader can view the Temporary Access Pass details on the user (without reading the code itself).
Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.
Browse to Protection > Authentication methods.
Select Temporary Access Pass.
Define a custom activation time or duration and select Add.
Once added, the details of the Temporary Access Pass are shown. Make a note of the actual Temporary Access Pass value. You provide this value to the user. You can't view this value after you select Ok.
Use a Temporary Access Pass
The most common use for a Temporary Access Pass is to enable a user to register authentication details during their first sign-in or device setup, without needing to complete extra security prompts. Authentication methods are registered at https://aka.ms/mysecurityinfo. Users can also update existing authentication methods here.
Open a web browser to https://aka.ms/mysecurityinfo.
Enter the UPN of the account you created the Temporary Access Pass for.
If the user is subject to the Temporary Access Pass policy, they will see a screen prompting them to enter their Temporary Access Pass.
Enter the Temporary Access Pass that was displayed in the Microsoft Entra admin center.
Note: For federated domains, a Temporary Access Pass is preferred over federation. A user with a Temporary Access Pass completes the authentication in Microsoft Entra ID and isn't redirected to the federated Identity Provider (IdP).
The user is now signed in and can update or register a method such as a FIDO2 security key. Users who update their authentication methods due to losing their credentials or device should ensure they remove the old authentication methods. Users can also continue to sign in using their password; a Temporary Access Pass does not replace a user's password
Users managing their security information at https://aka.ms/mysecurityinfo see an entry for the Temporary Access Pass. If a user does not have any other registered methods, they get a banner at the top of the screen that says to add a new sign-in method. Users can also see the TAP expiration time, and delete the TAP if it's no longer needed.
Guest Access
Guest users can sign in to a resource tenant using a Temporary Access Pass issued by their home tenant, provided it meets the home tenant's authentication requirements. If Multi-Factor Authentication (MFA) is required by the resource tenant, the guest user must complete MFA to access the resource.
Expiration
An expired or deleted Temporary Access Pass cannot be used for any form of authentication. Users must use alternative authentication methods once the Temporary Access Pass expires or is deleted. Tokens obtained via a Temporary Access Pass (e.g., session, refresh, access tokens) are limited to the pass's lifetime and expire with it.
Deleting an Expired Temporary Access Pass
To delete an expired Temporary Access Pass:
Sign in to the Microsoft Entra admin center as an Authentication Policy Administrator.
Navigate to Identity > Users, select a user (e.g., Tap User), then choose Authentication methods.
Next to the Temporary Access Pass in the list, select Delete.
Replacing a Temporary Access Pass
A user can have only one Temporary Access Pass at a time. It is usable within its validity period. To issue a new pass:
If the existing pass is valid, creating a new one will override it.
If the existing pass is expired, the new pass will replace it.
Limitations
A one-time Temporary Access Pass for Passwordless methods like FIDO2 or Phone sign-in must be used within 10 minutes of sign-in.
Users subject to SSPR or Identity Protection MFA registration policies must register for authentication methods post-sign-in using a browser. FIDO2 and Phone Sign-in registration are not supported in this mode.
A Temporary Access Pass is incompatible with the Network Policy Server (NPS) extension and Active Directory Federation Services (AD FS) adapter.
Replication delays may cause a delay in the Temporary Access Pass prompt appearing post-creation, or its prompt may still appear briefly after expiration.
Stay ahead of threats by customizing your Conditional Access policies to fit your organization's security and compliance for Microsoft 365 posture.
To help you to have peace of mind knowing your business is secure, click here to schedule a Microsoft 365 Secure Score review with our experts today. We'll evaluate your current cybersecurity measures, identify potential vulnerabilities, and help you implement a strategic security plan to keep your company safe.