Sometimes we need to grant temporary access to Entra ID users for specific purposes, like onboarding. As you might know, Microsoft Entra ID provides a feature called Temporary Access Pass (TAP) that allows you to grant temporary, passwordless access to your users. In this blog post, I’ll explore a simple PowerShell script designed to streamline the creation of a TAP from the console using the Microsoft Graph API and Console Grid-View.
What is a Temporary Access Pass?
A Temporary Access Pass (TAP) is a short-lived credential that can be used to access resources or perform actions that require authentication. It’s particularly useful for situations where a user needs a temporary access token, such as during password resets or initial logins.
Overview of the PowerShell Script
The PowerShell script we’ll discuss facilitates the creation of a TAP for a user in Microsoft Entra. It leverages the Microsoft Graph API to interact with user accounts and manage authentication methods.
Here’s a breakdown of how the script works:
1. Setting Up the Environment
Before using the script, you need to ensure that you have the necessary PowerShell modules and permissions.
# Connect to Graph:
Connect-MgGraph -NoWelcome -Scopes "User.Read.All", "UserAuthenticationMethod.ReadWrite.All"
# Install PowerShell Console GUI Tools:
Install-Module Microsoft.PowerShell.ConsoleGuiTools -Scope CurrentUser -Force2. Selecting a User
The script retrieves a list of users from Microsoft Graph and presents them in a grid view for selection:
$UserId = (Get-MgUser -All | Select-Object Id, DisplayName, UserPrincipalName | Out-ConsoleGridView -Title 'Select user' -OutputMode Single).IdThis allows you to choose the user for whom you want to create the TAP..
3. Choosing a Start Date
Next, the script allows you to select a start date for the TAP:
$Dates = for ($i = 0; $i -lt 30; $i++) {
(Get-Date -Date (Get-Date).AddDays($i) -Format "yyyy-MM-dd")
}
$Date = $Dates | Out-ConsoleGridView -Title 'Start date' -OutputMode Single
This code generates a list of dates for the next 30 days, giving you a convenient way to select the desired start date.
4. Selecting a Start Time
Similarly, you choose a start time for the TAP:
$Times = for ($i = 0; $i -lt 24; $i++) {
(Get-Date -Date (Get-Date -Hour 0 -Minute 0).AddHours($i) -Format "HH:mm")
}
$Time = $Times | Out-ConsoleGridView -Title 'Start time' -OutputMode SingleThis section provides a list of hours in the day to specify when the TAP should start.
5. Defining the Duration
The script then asks you to specify the TAP duration in hours:
$Durations = for ($i = 1; $i -lt 9; $i++) {
$i
}
$Duration = ($Durations | Out-ConsoleGridView -Title 'Duration (hours valid)' -OutputMode Single) * 60
Here, you can select a duration between 1 and 8 hours, which is then converted to minutes.
6. Selecting Usability
The script provides an option to specify whether the TAP can be used only once:
$Choices = 'true', 'false'
$Choice = $Choices | Out-ConsoleGridView -Title 'Is usable once' -OutputMode Single
You can choose between ‘true’ or ‘false’ based on your needs.
7. Creating the TAP
With all parameters set, the script constructs a JSON payload and makes a POST request to the Microsoft Graph API to create the TAP:
$Body = @"
{
"startDateTime": "$Date",
"lifetimeInMinutes": $Duration,
"isUsableOnce": $Choice
}
"@
$Result = Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/users/$UserId/authentication/temporaryAccessPassMethods" -Body $BodyThe API call returns the result, which includes the TAP value.
8. Displaying the Result
Finally, the script outputs the TAP to the console:
$Result
Write-Host ''
Write-Host -ForegroundColor Cyan "TAP: $($Result.temporaryAccessPass)"
This lets you see the generated TAP immediately.
Full Script
function New-EntraIDTAP {
# Connect to Graph:
Connect-MgGraph -NoWelcome -Scopes "User.Read.All", "UserAuthenticationMethod.ReadWrite.All"
# Install PowerShell Console GUI Tools.
Install-Module Microsoft.PowerShell.ConsoleGuiTools -Scope CurrentUser -Force
# SELECT user.
$UserId = (Get-MgUser -All | Select-Object Id, DisplayName, UserPrincipalName | Out-ConsoleGridView -Title 'Select user' -OutputMode Single).Id
# SELECT date.
$Dates = for ($i = 0; $i -lt 30; $i++) {
(Get-Date -Date (Get-Date).AddDays($i) -Format "yyyy-MM-dd")
}
$Date = $Dates | Out-ConsoleGridView -Title 'Start date' -OutputMode Single
# SELECT time.
$Times = for ($i = 0; $i -lt 24; $i++) {
(Get-Date -Date (Get-Date -Hour 0 -Minute 0).AddHours($i) -Format "HH:mm")
}
$Time = $Times | Out-ConsoleGridView -Title 'Start time' -OutputMode Single
# Calculate start date.
$StartDate = "$Date`T$Time`:00.000Z"
# SELECT duration.
$Durations = for ($i = 1; $i -lt 9; $i++) {
$i
}
$Duration = ($Durations | Out-ConsoleGridView -Title 'Duration (hours valid)' -OutputMode Single) * 60
# Calculate start date.
$StartDate = "$Date`T$Time`:00.000Z"
# SELECT isUsableOnce.
$Choices = 'true', 'false'
$Choice = $Choices | Out-ConsoleGridView -Title 'Is usable once' -OutputMode Single
# Request TAP:
$Body = @"
{
"startDateTime": "$Date",
"lifetimeInMinutes": $Duration,
"isUsableOnce": $Choice
}
"@
$Result = Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/users/$UserId/authentication/temporaryAccessPassMethods" -Body $Body
# Output result.
$Result
Write-Host ''
Write-Host -ForegroundColor Cyan "TAP: $($Result.temporaryAccessPass)"
}
New-EntraIDTAPConclusion
This PowerShell script provides a user-friendly way to create Temporary Access Passes using Microsoft Graph. By incorporating interactive GUI elements, it simplifies the process of configuring and managing TAPs. Whether you’re handling temporary access requests or managing user authentication methods, this script can be a valuable tool in your administrative toolkit.
Feel free to adapt and extend this script to fit your organization’s specific needs!
Please follow me here, on LinkedIn, and on X!
Daniel Chronlund Cloud Security Blog 