Temporary Access Pass Feature Enabled

Temporary Access Pass (TAP) (TAP) serves as a temporary authentication method, offering an alternative to the standard Microsoft Entra authentication such as a password and MFA. Designed for cases such as employee onboarding, password loss and helpdesk resets, or as a bootstrap for implementing other authentication methods like passwordless (e.g. Microsoft Authenticator, Windows Hello for Business, or FIDO2 security key), TAP introduces a time-limited or single-use passcode. Users can leverage this passcode throughout the TAP's lifespan, depending on the configured TAP policy, which you set in the "Authentication methods" console (via Azure Portal or Microsoft Entra admin center). This policy can apply universally to all users or selectively to specific groups. Once the policy is activated, privileged users with the required permission can generate a TAP in the "Authentication methods" console. Key considerations include:

• TAP bypasses MFA, as it is considered a strong authentication method.
• TAP poses a potential security risk if a malicious actor with elevated privileges exploits it. In such a scenario, an attacker could access an account without knowing the password and without resetting it, which makes it stealthier. Note that a TAP does not replace a user's password. Therefore, targeted users can still sign in using their regular password or other authentication method, despite a backdoor TAP being set up.

If your organization uses TAPs, ensure that they serve exclusively for onboarding new hires or devices. Consequently, logins through TAPs should occur only infrequently and under close supervision.

This legitimate feature can be enabled intentionally and is presently active within the tenant. In such instances, you can add the tenant as an exception in the options, while being mindful of the expanded attack surface. Conversely, if the feature is not in use, it is advisable to disable it to minimize the potential attack surface.

You can use this feature to bootstrap passwordless authentication methods as Microsoft recommends. If your organization uses it for that purpose, then you must add your tenant ID to the exclusion list for this Indicator of Exposure. To further mitigate the attack surface, consider narrowing down the scope of users or groups eligible for Temporary Access Pass generation by changing the default setting of "All users" to a more restricted subset.

However, if your organization currently does not use TAP, it is safer to disable it using the following procedure:

• Sign in to the "Microsoft Entra admin center".
• Navigate to "Protection" > "Authentication methods" > "Policies".
• From the list of available authentication methods, select "Temporary Access Pass".
• Switch the "Enable" toggle to "Off" to disable the feature.

Name: Temporary Access Pass Feature Enabled

Codename: TEMPORARY-ACCESS-PASS-FEATURE-ENABLED

Severity: Low