A Temporary Access Pass (TAP) is a time-limited passcode that can be configured for single use or multiple. Users can sign in with a TAP to onboard other passwordless authentication methods, such as Microsoft Authenticator.

Going forward, we would like Ops to utilize TAP for our users.


  • Note that on non-mobile devices like laptops, if the device times out (locks up, etc.) then the users's actual login password will be needed to sign back in. Once you're back in, the TAP password will work again with online services.
  • Troubleshooting mobile devices won't require the user's password at all.


Official Microsoft Article for Reference*


Create a Temporary Access Pass

After you enable a TAP policy, you can create TAPs for users in Microsoft Entra ID. 

These following roles can perform various actions related to a TAP:


    Global Administrators can create, delete, and view a TAP for any user (except themselves).

    Privileged Authentication Administrators can create, delete, and view a TAP for admins and members (except themselves).

    Authentication Administrators can create, delete, and view a TAP for members (except themselves).

    Global Readers can view TAP details for the user (without reading the code itself).


1.    Sign in to the Microsoft Entra admin center as at least an Authentication Administrator.


2.    Browse to Identity > Users.


3.    Select the user you would like to create a TAP for.


4.    Select Authentication methods and click Add authentication method. Select Temporary Access Pass.


5.    Define a custom activation time or duration and select Add.



 

6.    Once added, the details of the TAP are shown:


 

Enable the Temporary Access Pass policy


A TAP policy defines settings, such as the lifetime of passes created in the tenant, or the users and groups who can use a TAP to sign-in.

Before users can sign-in with a TAP, you need to enable this method in the authentication method policy and choose which users and groups can sign in by using a TAP.


To configure the TAP authentication method policy:


Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.


Browse to Protection > Authentication methods > Policies.


From the list of available authentication methods, select Temporary Access Pass.

 


Click Enable and then select users to include or exclude from the policy.

 


Select Configure to modify the default Temporary Access Pass settings, such as setting maximum lifetime, or length, and click Update.

 

Select Save to apply the policy.