Automating with PowerShell: Deploying Temporary Access passwords

So last time I spoke about Passwordless but skimped over the new feature TAP. TAP stands for Temporary Access Password and TAP is actually pretty cool, especially for MSPs deploying loads of devices. The TAP is a generated password that has a maximum amount of uses.

So I can already hear your gears grind; That’s both super cool but also has some major security implications. Today we’re covering the cool part, and the security implications around TAPs will be discussed in a future blog. In that blog I’ll also discuss prevention and detection.

So, onto the cool stuff; the use cases for the TAP are endless. Imagine you have a client environment where you still need that little bit of extra white glove support, by installing an unique LOB application. You could setup the new device using intune or MDT, and then logon to the new account using the TAP to finish the setup to perfection. Of course I’d highly recommend automating those steps, but I understand that’s not possible for each use case. My fellow MVP Peter Klapwijk has a good blog about this.

So let’s get to the scripting part, we’ll first need to enable TAP for the tenant.

The Script

######### TAP Settings #########
$MinimumLifetime = "60" #Minutes
$MaximumLifetime = "480" #minutes
$DefaultLifeTime = "60" #minutes
$OneTimeUse = $false
$DefaultLength = "8"
######### Secrets #########
$ApplicationId = 'AppID'
$ApplicationSecret = 'AppSecret'
$TenantID = 'TenantIDForWhichtoEnableTap'
######### Secrets #########

$TAPSettings = @"
  {"@odata.type":"#microsoft.graph.temporaryAccessPassAuthenticationMethodConfiguration",
  "id":"TemporaryAccessPass",
  "includeTargets":[{"id":"all_users",
  "isRegistrationRequired":false,
  "targetType":"group","displayName":"All users"}],
  "defaultLength":$DefaultLength,
"defaultLifetimeInMinutes":$DefaultLifeTime,
  "isUsableOnce":false,
  "maximumLifetimeInMinutes":$MaximumLifetime,
"minimumLifetimeInMinutes":$MinimumLifetime,
"state":"enabled"}
"@

$body = @{
'resource' = 'https://graph.microsoft.com'
'client_id' = $ApplicationId
'client_secret' = $ApplicationSecret
'grant_type' = "client_credentials"
'scope' = "openid"
}

foreach ($tenant in $tenants) {

    write-host "Working on client $($tenant.defaultdomainname)"
    try {
        $ClientToken = Invoke-RestMethod -Method post -Uri "https://login.microsoftonline.com/$($tenantid)/oauth2/token" -Body $body -ErrorAction Stop
        $headers = @{ "Authorization" = "Bearer $($ClientToken.access_token)" }
        Invoke-RestMethod -ContentType "application/json" -UseBasicParsing -Method Patch -Headers $Headers -body $TAPSettings -uri "https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/TemporaryAccessPass"
    }
    catch {
        Write-Warning "Could not log into tenant $($tenant.DefaultDomainName) or retrieve policy. Error: $($_.Exception.Message)"
    }

}

You probably noticed that this script does not perform the tasks for all tenants – That’s because currently it’s not possible for delegates to set this. You’ll need to run this for each tenant on their own, but after that you’ll be able to use the TAP. 🙂 As always, Happy PowerShelling!

Recent Articles

The return of CyberDrain CTF

CyberDrain CTF returns! (and so do I!)

It’s been since september that I actually picked up a digital pen equivalent and wrote anything down. This was due to me being busy with life but also my side projects like CIPP. I’m trying to get back into the game of scripting and blogging about these scripts. There’s still so much to automate and so little time, right? ;)

Monitoring with PowerShell: Monitoring Acronis Backups

Intro

This is a monitoring script requested via Reddit, One of the reddit r/msp users wondered how they can monitor Acronis a little bit easier. I jumped on this because it happened pretty much at the same time that I was asked to speak at the Acronis CyberSummit so it kinda made sense to script this so I have something to demonstrate at my session there.

Monitoring with PowerShell: Monitoring VSS Snapshots

Intro

Wow! It’s been a while since I’ve blogged. I’ve just been so swamped with CIPP that I’ve just let the blogging go entirely. It’s a shame because I think out of all my hobbies it’s one I enjoy the most. It’s always nice helping others achieve their scripting target. I even got a couple of LinkedIn questions asking if I was done with blogging but I’m not. Writing always gives me some more piece of mind so I’ll try to catch up again. I know I’ve said that before but this time I’ll follow through. I’m sitting down right now and scheduling the release of 5 blogs in one go. No more whining and no more waiting.