Technical SOPs
SOP — New-Hire Passwordless M365 Account Setup (Entra)
SOP — New-Hire Passwordless M365 Account Setup
CyberSuite’s M365 tenant is passwordless — users never sign in with a password. A new hire bootstraps their account with a Temporary Access Pass (TAP), then registers Microsoft Authenticator and a passkey, after which they sign in passwordless. We eat our own cooking: this is the same identity hardening we sell.
As-built tenant config (verified 2026-06-06 — the SOP depends on these)
Enabled authentication methods (Entra → Protection → Authentication methods → Policies):
- Passkey (FIDO2)
- Microsoft Authenticator (passwordless phone sign-in)
- Temporary Access Pass — reusable (One-time: No), length 8, lifetime 1 hr default / 1 hr min / 8 hr max
Conditional Access policies enforcing it (Entra → Protection → Conditional Access):
| Policy | Effect |
|---|---|
| Require MFA – All Users | Every member must satisfy MFA. New hires are covered automatically (targets All users). |
| Phishing-Resistant MFA for Admins | Privileged roles must use a phishing-resistant method — FIDO2 passkey / Windows Hello / CBA only (Authenticator phone sign-in does not satisfy this). |
| Require MFA – Guest Access | Guests (e.g. jerry@pdright.com) must satisfy an auth strength allowing WHfB / passkey / CBA / Authenticator phone sign-in / TAP. |
| Block Legacy Authentication | Kills basic-auth protocols that bypass MFA. |
⚠️ Break-glass: Conditional Access can lock the whole tenant out if a policy misfires and a device is lost. Confirm one cloud-only emergency-access Global Admin account exists, with a long random password in 1Password (
CyberSuite-Infra), excluded from the MFA policies. (See open question at the bottom — verify this exists.)
Procedure — onboard a new hire
1. Create the account (admin.microsoft.com → Users → Active users → Add a user)
- Name + username
firstname@cybersuite.tech(per the naming convention;{function}@is reserved for shared role mailboxes). - Let it auto-generate a password — it is never used or shared (the hire bootstraps with a TAP). Do not email it.
- Assign a license (e.g. Microsoft 365 Business Premium) and the appropriate groups. The CA policies target All users, so the hire is protected the moment the account exists.
2. Issue a Temporary Access Pass (entra.microsoft.com → Identity → Users → [the new hire] → Authentication methods → + Add authentication method → Temporary Access Pass)
- Set activation time + lifetime within policy (default 1 hr, max 8 hr). For a scheduled start, set it to activate at their start time.
- Copy the TAP (8-char code).
3. Deliver the TAP securely
- Hand it over out-of-band — a phone/video call, in person, or a one-time 1Password share — not plain email/SMS. It’s a live credential until it expires.
4. New hire registers their passwordless methods
- Sign in at https://mysignins.microsoft.com with the username → choose Temporary Access Pass → enter the TAP.
- At Security info → Add sign-in method, register both:
- Microsoft Authenticator — install the app, add the work account, enable phone sign-in (passwordless).
- Passkey (FIDO2) — device passkey (Windows Hello / Touch ID) or a hardware key. Required if the hire will hold any admin role (see step 6).
5. Retire the TAP
- It expires on its own; once methods are registered, delete the TAP from the user’s Authentication methods. From here the hire signs in passwordless (Authenticator / passkey) — no password, ever.
6. If the hire will be an admin — register the passkey first
- The Phishing-Resistant MFA for Admins policy blocks Authenticator phone sign-in for privileged roles. So register the FIDO2 passkey / Windows Hello before assigning the admin role, or the first privileged sign-in will be blocked.
Verification
- Hire signs in to office.com with no password, MFA satisfied by Authenticator/passkey.
- Entra sign-in logs show the expected method + the CA policies applied.
- (Admin hires) sign-in succeeds with a phishing-resistant method.
- TAP deleted; license + groups correct.
Offboarding (mirror)
- Disable account → revoke sessions / sign-ins → remove license → remove registered auth methods → reassign/forward any shared-mailbox access. Document the date + who.
Open question to confirm
- Break-glass account: does a cloud-only emergency-access Global Admin (excluded from the CA MFA policies, credentials in 1Password) exist? If not, create one — it’s the safeguard against a tenant-wide lockout.