Automating with PowerShell: Deploying Temporary Access passwords

1 Comment Series: PowerShell Automation

So last time I spoke about Passwordless but skimped over the new feature TAP. TAP stands for Temporary Access Password and TAP is actually pretty cool, especially for MSPs deploying loads of devices. The TAP is a generated password that has a maximum amount of uses.

So I can already hear your gears grind; That’s both super cool but also has some major security implications. Today we’re covering the cool part, and the security implications around TAPs will be discussed in a future blog. In that blog I’ll also discuss prevention and detection.

So, onto the cool stuff; the use cases for the TAP are endless. Imagine you have a client environment where you still need that little bit of extra white glove support, by installing an unique LOB application. You could setup the new device using intune or MDT, and then logon to the new account using the TAP to finish the setup to perfection. Of course I’d highly recommend automating those steps, but I understand that’s not possible for each use case. My fellow MVP Peter Klapwijk has a good blog about this.

So let’s get to the scripting part, we’ll first need to enable TAP for the tenant.

The Script

######### TAP Settings #########
$MinimumLifetime = "60" #Minutes
$MaximumLifetime = "480" #minutes
$DefaultLifeTime = "60" #minutes
$OneTimeUse = $false
$DefaultLength = "8"
######### Secrets #########
$ApplicationId = 'AppID'
$ApplicationSecret = 'AppSecret'
$TenantID = 'TenantIDForWhichtoEnableTap'
######### Secrets #########
 

$TAPSettings = @"
  {"@odata.type":"#microsoft.graph.temporaryAccessPassAuthenticationMethodConfiguration",
  "id":"TemporaryAccessPass",
  "includeTargets":[{"id":"all_users",
  "isRegistrationRequired":false,
  "targetType":"group","displayName":"All users"}],
  "defaultLength":$DefaultLength,
  "defaultLifetimeInMinutes":$DefaultLifeTime,
  "isUsableOnce":false,
  "maximumLifetimeInMinutes":$MaximumLifetime,
  "minimumLifetimeInMinutes":$MinimumLifetime,
  "state":"enabled"}
"@

$body = @{
    'resource'      = 'https://graph.microsoft.com'
    'client_id'     = $ApplicationId
    'client_secret' = $ApplicationSecret
    'grant_type'    = "client_credentials"
    'scope'         = "openid"
}
  
foreach ($tenant in $tenants) {
 
    write-host "Working on client $($tenant.defaultdomainname)"
    try {
        $ClientToken = Invoke-RestMethod -Method post -Uri "https://login.microsoftonline.com/$($tenantid)/oauth2/token" -Body $body -ErrorAction Stop
        $headers = @{ "Authorization" = "Bearer $($ClientToken.access_token)" }
        Invoke-RestMethod -ContentType "application/json" -UseBasicParsing -Method Patch -Headers $Headers -body $TAPSettings -uri "https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/TemporaryAccessPass"
    }
    catch {
        Write-Warning "Could not log into tenant $($tenant.DefaultDomainName) or retrieve policy. Error: $($_.Exception.Message)"
    }
  
}

You probably noticed that this script does not perform the tasks for all tenants – That’s because currently it’s not possible for delegates to set this. You’ll need to run this for each tenant on their own, but after that you’ll be able to use the TAP. 🙂 As always, Happy PowerShelling!

You May Also Like

1 Comment

  1. Pingback: Automating with PowerShell: Enabling MFA with Web-Sign in for Windows Devices - CyberDrain

Leave a comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.