Azvise Azure & Azure AD, Security

Temporary Access Pass sign in was blocked due to User Credential Policy

General introduction

Temporary Access Pass is a time-limited passcode that allows users to register passwordless methods or recover access to their accounts without knowing their password. It is enabled via an authentication method policy that you can configure in Azure Active Directory. Apart from being time-limited, the TAP can also be configured for one-time use only. This can either be configured on the authentication methods policy so that every TAP created will be one time only (not the best idea at the moment) or at the creation of the TAP on the user authentication methods page.



The issue

The “Temporary Access Pass sign in was blocked due to User Credential Policy” issue is caused by the fact that the user has already used the TAP, and it was configured not to be valid for a second login. To fix this, modify the policy and allow for multi-use TAPs (if it’s not already enabled) then issue a new TAP.


While it makes sense from a general prospective to enable it for one-time use only at the policy level, this is usually impractical. For example, if you are using Autopilot, you’ll be requested to enter your credentials twice before configuring Windows Hello for Business. The first time, you’ll be asked for it at the enrollment phase, and the second time when logging into the user account for the first time. A one-time use TAP policy will create issues in this case. It’s also very common for users to mistakenly log off before configuring a passwordless method. If they do, you’ll need to issue a second TAP. For these reasons, it makes sense to allow a stricter lifetime but allow it to be used multiple times in that timeframe.

Modify the Temporary Access Pass policy:

  • Open authentication methods, then Temporary Access Pass. Authentication Methods | AAD
  • From here, go into Configure. If it’s already set to no, then proceed to the next step. If it’s set to yes then click on Edit.
  • From here, click on Require one-time use, and set it to no. Then save.

Issue a multi-use TAP:

  • Head into All Users | Azure AD, then select the user you want to issue the TAP to.
  • Click on Authentication Methods, then Add authentication method.
  • From the dropdown list, select Temporary Access Pass. Make sure One-time use is on No, then click on Add
  • Send the user the new TAP
Azvise Azure & Azure AD, Security

How to enable and disable Security Defaults



General introduction

Security Defaults are one of the ways to establish a fundamental identity security baseline for your tenant. Security defaults are a set of security settings to help you protect your organization from the most common security threats. They can be enabled on a tenant with just one click. Well, two, if you count the save button. These settings are aimed at small and medium businesses that might not have an IT team with the knowledge or resources to manually set the standard for their environment. 

If you are currently using Conditional Access Policies, Security Defaults are probably not for you. In more complex environments, going the Conditional Access way can be trickier to manage but provide more benefits, such as the ability to require access from known and compliant devices. Also, Conditional Access Policies require Azure Active Directory Premium P1, and only some organizations are licensed for it.

If you wish to learn more about Conditional Access, I wrote a post about it:

What are Conditional Access Policies in Azure AD

Security Defaults are now activated by default in all the newly created tenants since October 2019, and Microsoft is rolling them out to existing tenants who don’t have Conditional Access Policies enabled.

What Security Defaults will do is:

  1. Requiring users to register for MFA using the Authenticator app. Users will have 14 days to comply before being required to do so.
  2.  Requesting MFA for both users and administrators, especially when a user accesses privileged portals.
  3.  Block legacy authentication protocols which can’t support MFA.




How to enable Security Defaults

  1. Access the Azure AD properties with an admin account by clicking on the following link, or navigating through the portal to Properties: Azure AD Properties | Azure Portal
  2. Click on Manage Security Defaults at the bottom of the page
  3. Set the Security Defaults to Enabled
  4. Save



How to disable Security Defaults

  1. Access the Azure AD properties with an admin account by clicking on the following link or navigating through the portal to PropertiesAzure AD Properties | Azure Portal
  2.  Click on Manage Security Defaults at the bottom of the page
  3.  Set the Security Defaults to Disabled
  4.  Provide a reason for disabling Security Defaults
  5.  Save

Notes

If you wish to learn more about Security Defaults, refer to the following documentation page:

Security Defaults | Microsoft Docs

Azvise Exchange Online, Security

Outlook requires app password for connecting to Exchange Online

Even if most people use modern authentication for connecting with Exchange Online, some users still have to use app passwords to enable connections from Outlook.

For tenants created after August 2017, modern authentication is enabled by default, but some admins have it turned off.

To enable modern authentication for Exchange Online, follow these steps:

  • Let all the basic authentication protocols selected.
  • Click “Save“.

You should aim to disable all the basic authentication protocols as soon as possible.

To enable modern authentication on Outlook 2013, click on the following guide:

Enable Modern Authentication for Office 2013 on Windows devices