Office 365 - Protecting user accounts with FIDO2 keys (TAP method)
FIDO2 based Passwordless technology allows users to use a USB key sign in to Azure AD (Microsoft Entra ID) without using passwords. Once enabled, the users will be able to sign in to their accounts and log onto their Windows 10 machines ( Azure AD (Microsoft Entra ID) or Hybrid AD joined) using FIDO2 Security keys. The access is still protected by two factors in this case: 1) having physical access to the security key and 2) PIN or Fingerprint (on devices with biometrics support) configured on the FIDO2 Security keys
FIDO2 keys as a security method is available with Microsoft Azure AD (Microsoft Entra ID) for already a couple of years now. Being the most secure access method available for Office 365 user access, enrolling FIDO2 security keys had a requirement of MFA to be configured for the users, which made it useless for use cases where users do not have (or do not want) to use multiple devices to log in. This has finally changed!
During the MS Ignite 2021 conference (which was held virtually this year as well), in addition to GA of Passwordless, Microsoft also announced a new feature, Temporary Access Pass in Azure AD (Microsoft Entra ID) (Preview), which will allow your end users to use only a FIDO2 Security key to access their account (this eliminates the requirement of having the MFA configured prior to that, which was the case before).
This guide will describe how the administrator can set Temporary Access Pass for a user, and how that user can subsequently enroll his/her FIDO2 security key:
Enable the Temporary Access Pass (TAP)
As this is a preview feature, it has to be enabled first. Global administrator and Authentication Method Policy administrator role holders can update the TAP authentication method policy. To configure the TAP authentication method policy:
- Sign in to the Azure portal as a Global admin and click Azure Active Directory > Security > Authentication methods > Temporary Access Pass.
- Click Yes to enable the policy, select which users have the policy applied, and any General settings
Note: make sure FIDO2 Security Key method is also enabled (it is on the same page).
- You can keep the default TAP values for the time being. A full description of possible options is available here
Create Temporary Access Pass for a userNow, lets create a temporary access pass for a user. The user should be allowed to use TAP (configured in the previous step). To add a TAP for a user, follow the steps below:
Sign in to the portal as either a Global administrator, Privileged Authentication administrator, or Authentication administrator.
- Click Azure Active Directory, browse to Users, select a user, then choose Authentication methods.
- If needed, select the option to Try the new user authentication methods experience.
- Select the option to Add authentication methods.
- Below Choose method, click Temporary Access Pass (Preview).
- Define a custom activation time or duration and click Add
- Once added, the details of the TAP are shown. Make a note of the actual TAP value. You provide this value to the user. You can't view this value after you click Ok.
Adding a FIDO2 Key using TAP LoginThe steps below will allow a user to add a FIDO2 security key as the only authentication method for his/her account.
- User needs to log out of all existing session or launch a web browser in Private (Incognito) mode
- Navigate to https://aka.ms/mysecurityinfo
- Enter the UPN of the account (the TAP was created for), such as [email protected]
- If the TAP is valid, instead of the regular password and MFA prompt, the login form will ask for a temporary access pass
- After logging in with the TAP, the browser will redirect to the Security Methods page, where a FIDO2 key can be added
Add a FIDO2 Security key by clicking Add method and choosing Security key
Where to buy FIDO2 Security keys to use with this method?
All of our FIDO2 keys are compatible with Azure AD (Microsoft Entra ID). You can place an order online or contact us for a quote. We ship worldwide* both with regular post and express services such as FedEx, UPS and DHL.
* - with the exception of Iran, India, Russia and a couple of other locations due to very complex customs clearance procedures
VideoCheck out this video review demonstrating the process of the configuration of this method as well as user registration and login experience
Subscribe to our mailing list
Want to keep up-to-date with the latest Token2 news, projects and events? Join our mailing list!