Sign in Subscribe
By Chris Greenacre in Entra ID

Automating Approval and Access to an Entra ID Account

How I automated approval and access to a user's Entra ID account for troubleshooting with Temporary Access Passes

Automating Approval and Access to an Entra ID Account
Photo by Ed Hardie / Unsplash

Let's be honest, when it comes to standard day to day support for our helpdesk staff there's been times where we've had to ask for a user's password in order to troubleshoot a specific problem. It's not right, it's not safe, but we often choose the path of least resistance and opt to go down the route that gets the user off the phone and allows us to troubleshoot in our own environment in our own time without the pressure of being watched.

It got me thinking...

Surely there's a way we can request access to a user's account, for a time-limited period, and not have to share credentials?

Then it hit me...

Temporary Access Passes!

Background

Microsoft first introduced Temporary Access Passes in public preview back in March 2021[1]. They were created as a passwordless account onboarding solution, allowing users to register for passwordless authentication methods without knowing the actual password to their account. These passes expired after a certain time period, making them ideal short-lived passwords for onboarding.

Temporary Access Passes are now in general availability and used by orgs all across the globe for onboarding their staff, and for multifactor authentication recovery scenarios.

What my thinking was

Knowing that these Temporary Access Passes are effectively just "short-lived passwords" that Entra deem to be a form of two-factor authentication, could I use this method to gain access to a user's account for the purpose of troubleshooting?

It turns out... yes, I could!

The Automation

ℹ️
The section intends to serve as general guidance on setting up this automation. For assistance, feel free to leave a comment!

Prerequisites

Here's the tools I used/need to make all of this work:

  • Microsoft Forms
  • Microsoft Power Automate

The Automation Process

Let's break it down, what's the process, and what does the automation actually do?

  1. A member of IT staff completes a Microsoft Forms form. The form asks for the end user's user principal name, the duration of access, the reason for access (a ticket number is expected to be input here), and a confirmation that the IT staff member agrees the request is necessary and with adequate justification.
  2. Upon form submission, Power Automate picks up the submission details. Fetches the IT staff's details, the end user's details, and starts an Approvals process.
    1. The approval is sent to the end user, outlining the request details, duration and which IT staff member requested the access. They can then either accept or decline the request.
  3. Upon acceptance, the Flow triggers an API call to Microsoft Graph to add a new TAP method to the user's account with the required duration. The TAP is then sent in a securely encrypted email to the IT staff member.
  4. Upon rejection, an email is sent to both the IT staff member detailing the rejection.
The Power Automate flow.

Configuring TAP policy

It first helps to actually enable Temporary Access Pass authentication within your Authentication Methods in Entra ID, otherwise, you're not going to be able to generate or use a TAP. Making this whole post pointless really...

I opted to go for a policy that dictates a 10 minute minimum lifetime, 8 hours maximum (a typical workday), minimum of 8 characters, and the option for it to be used multiple times. I found this struck a perfect balance between security and convenience for helpdesk staff.

Design your Microsoft Form

This one is pretty straightforward to be honest, so I won't go into too much detail. Just head to Microsoft Forms and create your form with the questions/answers you require.

Microsoft Forms Request Access Form

Although I do recommend scoping it so that only specific people or groups of people can access and respond to the form, namely, your IT staff.

Then design the Power Automate flow like I have in the screenshot above, or however you see fit!

The End User Experience

The automation has been designed in a way that requires as little input from the end user as is possible, whilst still keeping them informed.

Once an IT admin submit the form/access request, the user receives a simple email (and Teams notification). It outlines which IT admin has requested the access, the reason for the request, and the duration they'd like access for.

The user then has the option to select "Approve" or "Reject" and add a comment.

That's it, their response is submitted, and the IT admin can go on with their day!

The IT Admin Experience

They start by filling out the form and hitting submit... then, they wait. An approval is automatically sent to the end user requesting their approval.

If the end user approves, they'll receive the below email.

If the approval is rejected, they'll receive this email instead...

Conclusion

And with that, IT staff can now request access to a user's account for the purpose of troubleshooting whilst allowing the user to keep their current password a secret. The IT staff member is allowed to access the user's account for the duration outlined in their request, before Entra ID automatically revokes the TAP and, in turn, the access to the account.

What's your thoughts? Let me know what you think! 🫡

Want a copy of the Power Automate flow? Let me know!

Sources

1 https://techcommunity.microsoft.com/blog/microsoft-entra-blog/temporary-access-pass-is-now-in-public-preview/1994702

Previous

MC1143301: SharePoint agents are available in Teams app Store

You might also like...