Create temporaryAccessPassAuthenticationMethod

Namespace: microsoft.graph


APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Create a new temporaryAccessPassAuthenticationMethod object on a user. A user can only have one Temporary Access Pass. The passcode can be used between the start and end time of the Temporary Access Pass. If the user requires a new Temporary Access Pass:

  • While the current Temporary Access Pass is valid – the admin needs to delete the existing Temporary Access Pass and create a new pass on the user. Deleting a valid Temporary Access Pass will revoke the user’s sessions.
  • After the Temporary Access Pass has expired – a new temporary access pass overrides the current temporary access pass and doesn't revoke the user’s sessions.


One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.

Permissions acting on self

Permission type Permissions (from least to most privileged)
Delegated (work or school account) UserAuthenticationMethod.ReadWrite
Delegated (personal Microsoft account) Not supported.
Application Not supported.

Permissions acting on other users

Permission type Permissions (from least to most privileged)
Delegated (work or school account) UserAuthenticationMethod.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application UserAuthenticationMethod.ReadWrite.All

For delegated scenarios where an admin is acting on another user, the admin needs one of the following Azure AD roles:

  • Global administrator
  • Privileged authentication administrator
  • Authentication administrator

HTTP request

POST /users/{id | userPrincipalName}/authentication/temporaryAccessPassMethods

Request headers

Name Description
Authorization Bearer {token}. Required.
Content-Type application/json. Required.

Request body

In the request body, supply a JSON representation of the temporaryAccessPassAuthenticationMethod object.

The following table describes optional properties that can be used when creating the temporaryAccessPassAuthenticationMethod.

Property Type Description Required
startDateTime DateTimeOffset The date and time when the temporaryAccessPass becomes available to use, if not set the Temporary Access Pass is available to use at creation time. No
lifetimeInMinutes Int32 The lifetime of the temporaryAccessPass in minutes starting at creation time or at startDateTime, if set. Minimum 10, Maximum 43200 (equivalent to 30 days). No
isUsableOnce Boolean Determines if the pass is limited to a one time use. If True – the pass can be used once, if False – the pass can be used multiple times within the temporaryAccessPass life time. A multi-use Temporary Access Pass (isUsableOnce = false), can only be created and used for sign-in if it is allowed by the Temporary Access Pass Authentication method policy. No


If successful, this method returns a 201 Created response code and a temporaryAccessPassAuthenticationMethod object in the response body.



Content-Type: application/json

  "@odata.type": "#microsoft.graph.temporaryAccessPassAuthenticationMethod",
  "startDateTime": "2021-01-26T00:00:00.000Z",
  "lifetimeInMinutes": 60,
  "isUsableOnce": false


Note: The response object shown here might be shortened for readability.

HTTP/1.1 201 Created
Content-Type: application/json

  "@odata.type": "#microsoft.graph.temporaryAccessPassAuthenticationMethod",
    "id": "81757535-e21e-4330-a338-33b8038ff12b",
    "temporaryAccessPass": "nc+&G=xwDKCz",
    "createdDateTime": "2021-01-25T23:53:35.5026721Z",
    "startDateTime": "2021-01-26T00:00:00Z",
    "lifetimeInMinutes": 60,
    "isUsableOnce": false,
    "isUsable": false,
    "methodUsabilityReason": "NotYetValid"