Using Microsoft Temporary Access Pass

Gabriela Peralta - Versasec
Gabriela Peralta - Versasec
  • Updated

Introduction

From version 6.6 it is possible to configure vSEC:CMS to generate and extract a Temporary Access Pass (TAP) from an already configured Entra ID connection. TAP is a time-limited passcode that can be configured for multi or single use to allow users to onboard other authentication methods such as FIDO2 tokens. In this article we will describe how you can configure vSEC:CMS to generate and provide a TAP to a user when issuing a supported credential in vSEC:CMS.

Important
It will be required that you already have a connection to Azure AD setup and TAP is configured in your Azure AD environment. See the article Entra ID Configuration for details on how to setup a connection to Azure AD.

Configure

We will create a basic template where we will issue a credential from Entra ID and export the TAP as part of the issuance flow.

Step 1 - Setup eMail Template

It will be required to configure an email template that will be used to send the TAP when the credential is issued. Look in the article Connection here and see the section Email for details on how you can setup an SMTP email connector.

Navigate to Options - Connections - Data Export and click Add. Enter a template name and select Email (Export to email) from the Target drop-down list. Enable Send email automatically and click Configure email button. Configure the email details and use vSEC:CMS variables that are mapped to attributes to retrieve the data needed when sending the TAP via email. For TAP you should use these variables: ${AadTapId} and ${AadTapCode}

For example:

Untitled.png

Click Ok to save and close the settings.

Select the SMTP connector already configured from the SMTP server drop-down list.

Untitled.png

Click Save to save and close out.

Step 2 - Create Credential Template

The next step is to create a basic credential template which will be used to issue your credential and send the TAP via email to the credential holder. 

You will need to have already configured a connector to Entra ID. See the article here and look in the section Entra ID Connection for details on how to do that.

Navigate to Templates - Card Templates  and click Add.

Click the Edit link beside General. Enter a template name and attach a credential that is to be managed by this template and click the Detect button and wait for the vSEC:CMS to detect the credential type and click Ok.

Leave all other settings as default and click Ok to close and save.

2. Click the Edit link beside Issue Card. In the User ID Options section enable Assign user ID and select the Entra ID connection in the drop-down list. If you wish to issue a certificate(s) then add these in Enroll Certificate Options section.

Leave all other settings as is and click Ok to save the settings.

3. Click the Edit link for Entra ID Tap Code to configure how the TAP code can be sent to the credential holder post credential PIN activation. 

Click Enable and depending on how you wish the user should receive the TAP code different options are available. Enable User may request Entra ID Tap Code via console if it is required that the end user can request such codes. This will enable a button in the Credential tab in the vSEC:CMS User application for the end-user to request the code. Enable Force authentication and you will have to configure a delivery option to deliver the code. Click the Deliver button and create an email template that will be used to send the code. You can use a similar template as created earlier in this article.

Enable Operator may generate Entra ID Tap Codes if it is required that an operator/helpdesk person can request such codes from the Actions - Smart Card Unblock page. Enable Show code if it is required that the operator/helpdesk person can see the code to share with the end-user. Click the Deliver button and create an email template that will be used to send the code. You can use a similar template as created earlier in this article.

In the Expiration Configuration section you can configure TAP restrictions in regards to the validity of the code. Enable Override lifetime definer on Entra ID to override what is set in Entra ID if you wish to configure a specific setting for this from vSEC:CMS. Enable Usable once if you want to ensure that the TAP code can be used only once.

Untitled.png

4. Click the Edit link in the Initiate Card section to configure vSEC:CMS to send the TAP code when the user sets their credential PIN after the credential has been issued for the first time. Enable System generate Entra ID TAP Code and click Configure.

Untitled.png

From the drop-down box select the email data export template created earlier and click Add. Click Ok to save and close.

Untitled.png

5. Click Ok to save and close the template.

Issue Credential

From the Lifecycle page attach a blank credential to your host.

Click the Issued oval and select the template from Select card template drop-down list and click Execute.

You will be prompted to enter your Operator passcode before the issuance will begin. Then you will be prompted to select the user from Entra ID that the credential will be issued to. Select the user and at the end of the process you will get a short summary dialog of what operations were performed.

Click the Active oval and the user can set a PIN from their credential. An email should be sent to the user email address as is set in Azure with the TAP.

Untitled.png

Additionally, you can generate a new TAP from Actions - Smart Card Unblock and search for the user. Then you should see a button Request TAP Code and click this to generate a new TAP.