Intro

This guide is devided into two phases. One phase is about preparing the customer’s Microsoft 365 Entra ID to support passwordless implementation.
The other phase is about creating users, adding temporary access pass and self-service password reset options.

DISCLAIMER: Some of the pictures is in danish – I wish to come back and edit for english version of the pictures at a later time, but since this guide was primary written and used in Denmark, I apologize for the danish pictures, even through I believe you will understand the basics of this configuration just from reading the text.

The customer tenant needs to be “cloud-only”, that means that users must not be synced from any Active Directory.

This guides focus on Microsoft Authenticator standard passwordless, but it is recommended to use passkeys (FIDO2) for administrative roles.
Normal users should also be configured for passkeys in Microsoft Authenticator after mid-january 2025, where it will be in GA.

Prerequisites

Customer’s Microsoft 365 tenant must be setup for Converged Authentication Methods.
There is a seperate guide to follow for this part: Migration to Converged Authentication Methods – Overview

Enable Temporay Access Pass

Navigate to Authentication Methods | Policies: Authentication methods – Microsoft Entra admin center 
Now enable Temporary Access Pass:
Enable for all users:

Configure One-Time usage, default lifetime and length:

Now it is enabled:

New User: Create guide

Then creating new users, there is a sligthy different proces involved with giving the user access to the new account.

1. Open Entra ID and create new user
   
2. Fill out basic details as normal (do not copy the password, you will not need it)
   
3. Go through the rest of the steps and create the user.
4. Now navigate the newly created user, select authentication methods and add new authentication method.
   
5. Define delayed start to match then the user will be having its first day (usualy defined in onboarding formular from HR)
   
6. Provide the user (or requesting manager / HR) with the username, temporary password and registration URL:
   
7. Then the user first visits the page, the user will be asked to setup Microsoft Authenticator. It is important that the user proceed and enable phone-based signin from Microsoft Authenticator, otherwise the user will lose access after the first 8 hours because of the expiration of the temporary password and no other password will be provided to the user. This Microsoft article provides details about that for the user to follow: Passwordless sign-in with Microsoft Authenticator – Microsoft Entra ID | Microsoft Learn 

Existing User – Create Temporary Access Pass

Proces for existing users are similar. If only done for a few users, you can use Entra ID portal as descripted in the new user proces.
Provide users with the same method (temporary access pass, URL for registration and guide). Existing users will often already be enrolled for MFA by using Microsoft Authenticator and therefore they can skip the registration process and navigate straight to the enablement of phone-based signin via Microsoft Authenticator.

Use PowerShell then having to enable temporary access pass for many users:

# Define with the access pass will be active. Once starttime is reached, it will be active for 8 hours.
# Change date and hours to fit your needs
$StartTime = "2024-12-19T00:00:00.000Z"

# DO NOT EDIT BELOW THIS LINE

$UserTempPassTable = New-Object 'System.Collections.Generic.List[System.Object]'

$GroupName = Read-Host "Input name of group containing users to add a temporary access pass."
$GroupName = "DisplayName eq '" + $GroupName + "'"

Connect-MgGraph -Scopes 'Group.Read.All','UserAuthenticationMethod.ReadWrite.All' -ContextScope Process

Import-Module Microsoft.Graph.Identity.SignIns

$Group = Get-MgGroup -Filter $GroupName
$GroupMembers = Get-MgGroupMember -GroupId $Group.Id

$params = @{
	startDateTime = [System.DateTime]::Parse("$StartTime")
	lifetimeInMinutes = 480
	isUsableOnce = $true
}

Foreach ($GU in $GroupMembers)
{
    $User = Get-MGUser -UserId $GU.Id
    $Pass = New-MgUserAuthenticationTemporaryAccessPassMethod -UserId $GU.Id -BodyParameter $params

    $objUserTempPassTable = [PSCustomObject]@{
        'UPN'					  = $User.UserPrincipalName
        'DisplayName'             = $User.DisplayName 
        'TemporaryAccessPass'	  = $Pass.TemporaryAccessPass

    }
    $UserTempPassTable.add($objUserTempPassTable)

    Clear-variable User
    Clear-Variable Pass
}

# Export list of users with newly generated access passes to current folder of PS session
$UserTempPassTable | Export-CSV -Path ".\TemporaryAccessPasses.csv" -Delimiter ";" -nti

Phone based sigin activation (user guide):

It is important that you complete Microsoft Authenticator configuration on the https://aka.ms/mysecurityinfo  page using your new username and provided temporary access pass. Once you have enabled MFA, proceed with enablement of phone based signin, otherwise you will lose access in 8 hours.

1. Still in Microsoft Authenticator on the object added for your username, press Activate phone login:
   
2. Allow your device to be registrered (not managed):
   
3. Make sure you are signing in with your temporary access pass, because normal password will not work:
   
4. Allow it to register if asked again.
5. Now you can see that phone based signin is enabled:
   
6. Now everytime you are asked to signin using your Microsoft 365 credential, you will only be prompted to approve using number matching via your smartphone and the Microsoft Authenticator application:
   

Daily user experience

Then users are asked to sign in with their Microsoft 365 credentials, they now only need to sign in using their phone (number matching MFA in Microsoft Authenticator, no password is provided doing signin):