Onboard FIDO2 keys using Temporary Access Pass in Azure AD

One of the requirements to use FIDO2 security keys with your Microsoft 365 or Azure Active Directory account is multi-factor authentication. So if the user has not added an authentication method, they need to do that first, in order to add the FIDO2 security key to the account. That is sort of a chicken and egg situation.

To work around that, we can use Azure Active Directory’s Temporary Access Pass (TAP) to onboard the user. Using this method, TAP will statisfy the MFA requirement. Users can use TAP to bootstrap passwordless methods such as Windows Hello, FIDO2 keys, and Microsoft Authenticator App. In this blogpost, we take a look at how to set that up in your environment.

First things first

To support FIDO2 keys as authentication method, we need three things in place:

• Combined registration portal for MFA and SSPR enrollement
• Authentication policy for FIDO2
• Authentication policy for Temporary Access Pass

The new combined registration experience is enabled by default on newer tenants, but if you have an older tenant, go to Azure Active Directory-> User Settings -> Manage user feature settings, and make sure that users can use the combined security information registration experience.

Next, go to Azure Active Directory -> Security -> Authentication methods, and make sure that both FIDO2 Security Key and Temporary Access Pass is enabled for all, or a selected group of users.

You can configure additional settings to restrict specific keys for example. You can also change the default settings for the Temporary Access Pass. For now, we leave this to default.

End-user experience

Now, if a user has not setup any authentication method before, they are prompted with the following error when they try to register a new key at https://aka.ms/setupsecurityinfo.

“To set up a security key, you need to sign in with two-factor authentication.”

This is where the Temporary Access Pass comes to play. Let’s create one for our test user.

For the specific user, go to the Authentication methods blade, and add a new Temporary Access Pass.

For this usecase, we set the One-time use switch to Yes. This way, the TAP will expire after its been used. After the TAP is created, the required information is shown in the portal:

Now, as the user, go to https://aka.ms/mysecurityinfo. Make sure it’s a fresh session, meaning that the user is not signed in. Ideally, use a private browser session. Enter the username, and click Next.

Now, instead of the password, the user is asked to enter the Temporary Access Pass.

After you’ve signed-in, click + Add method, and select Security key from the dropdown menu.

Depending on the type of key you are using, select USB or NFC device. In my case, I use the Authentrend ATKey.Pro, so I select USB. I have already enrolled the key with my fingerprint, using the standalone enrollment (with powerbank).

The next steps are pretty straight forward, but I’ll show all the screens to get an idea of the entire process.

If this is a new key, the user is prompted to set up a new PIN for this device. The ATKey.Pro has a built-in fingerprint reader, that can be used as well. If you enrolled your fingerprint earlier, a PIN is not required.

And that’s it! The user can now sign in using the FIDO2 security key, and does not have to provide a password anymore. As you can see, the Temporary Access Pass is expired after one time use. Note that the regular password can still be used.

Wrap things up

Temporary Access Pass can be used to enroll your users into passwordless methods like we have seen in this blog post. If you have an existing process or application for user onboarding in place, you can make use of the Graph API to create TAPs for your users. Or you can build a PowerApp for your helpdesk staff like this example:

Learn more about Temporary Access Pass:
Azure Active Directory Temporary Access Pass – JanBakker.tech
Temporary Access Pass is now in public preview – Microsoft Tech Community

Stay safe!