Hi Community,
Recently I was asked to setup an Autopilot and Device Preparation infra for a customer. All went fine but after a few weeks the customer came back to me stating that they needed the end user’s credentials and MFA to enroll them. Of course i said that that is definitely is NOT nessecary and that they should use TAP for this. I Know that is has been here for a while now however it seems that some people have forgotten about this super handy feature, hence this post.
This led me to create this small blog post to get Temporary Access Pass configured with also the very convenient Intune policy that enables Web sign-in after a reboot. So TAP in combination with Web Sign-in enabled is a cool thing to have configured in your tenant.
What is TAP? (Temporary Access Pass)
A Temporary Access Pass (TAP) is a feature in Microsoft Entra ID (formerly Azure AD) that allows users to authenticate without needing a password or MFA (multi-factor authentication) when signing in for the first time or recovering access. It is typically used for:
- Onboarding new users (e.g., employees who haven’t set up MFA or passwordless authentication yet).
- Passwordless authentication recovery (e.g., if a user loses their primary authentication method).
- Helping IT admins securely grant temporary access without requiring password resets.
- TAP is time-limited and can be configured with expiration policies to enhance security.
To set it up you need at least the Authentication Policy Admin role and an Entra ID P1 license. The roles for creating the passcode are Global Administrator, Privileged Authentication Administrator or Authentication Administrator
Check out the Microsoft documentation about TAP and Web sign-in.
Configure Temporary Access Pass in Entra ID
To configure Temporary Access Pass go to the Entra ID portal – Protection – Authentication Methodes. Here you can enable Temporary Access Pass.
Tick the box to enable it, target it to all users or a specific group of users.
Click the Configure tab and set your desired config.
If you are satisfied with the settings, click update and save. Your Temporary Access Pass config is now in place.
And that is actualy it to configure Temporary Access Pass on Entra ID. Now lets dive in to check how we can get the passcode.
Get the TAP passcode
Now let’s head back over to Entra ID – All Users, select a user – Click Authentication Methodes – click Add authentication method
Select Temporary Access Pass.
Use the slider to setup the time where the Temporary Access Pass passcode will be valid. You can also delay the time when the passcode becomes active. I will set it up for 6hrs. One time use is set to no because i need to reboot my machine and need my passcode more then 1 time.
Now you will be presented with the Temporary Access Pass passcode, note it down because when you click ok the window will close and you cannot retrieve it anymore.
And that is it to get a Temporary Access Pass passcode from that user account.
Enable the Web Sign-in policy
In order to use our TAP passcode when we Autopilot a device and we need to log in to the device after a reboot we need to do a config in Intune. Without this config we cannot log in to the device anymore without the use of user’s password and MFA.
To configure this policy go to the Intune Portal – Devices – Windows – Configuration – Create – New Policy – Platform: Windows 10 and later – Profile type: Settings catalog – Create
Give your Policy a name e.g.: Enable Web Sign-in – enter a description if you want and click next.
Click Add settings and select Authentication as a category – Select Enable Web Sign-in as the setting. Set this to Enabled. Web Sign-in will be enabled for signing in to Windows.
Click next, assign scope tags if you want, assign the policy to a device group and review and create the policy. This policy will create an extra icon on your login screen that you can use to log in with the TAP passcode.
Now lets see TAP in action on a device.
User experience
Let’s watch how we can use TAP when we try to provision a device. You will notice that i don’t need the user’s password but i will use the TAP passcode to enroll the device. This is a device preparation but with Autopilot or a manual enrollment the behavior is the same.
As the required setup is complete let’s see how we can use TAP with Web Sign-in to log in to the device. Notice the Web Sign-in icon.
Now that we have logged in to the device we will perfom a reboot. Just to show you that the TAP passcode can be used again to log in to the device.
This concludes this small and easy blogpost on Temporary Access Pass with Web Sign-in. Pretty easy to setup and so convenient to use wihout the need of the user’s credentials. You will for sure benefit from this easy setup and it will make your life as a system admin provisioning devices a lot easier without the hassle of bothering end users for their credentials and MFA requests by calling, texting mailing etc…
And as always if you feel there is something in error or you want to add some stuff from your own experience don’t hesitate to contact me!
Hello,
Thank you for this post. I did know about the TAP but not about web sign-in so I definitely learned something new.
Just to be sure: the TAP would allow a user to login to a device when the user forgot f.e. their smartphone or is the web sign-in always required to be able to login in to a device with a TAP?
Hi Michael, yes you can use it for that use case to. Web sign-in is not a dependency for TAP, just a convenient addition to it
Hi, nice post. Tried this today during autopilot and all went as it should. However, after a reboot the globe sign we’re still showing but clicking the globe didn’t bring up the web sign-in. Do you know what may be causing this? This breaks autopilot with TAP for users.
we encounter the same problem. When we do the update before TAP into it, it worked perfectly.
But there is a bug…