Hello, Everyone. In our continuous learning journey, we have brought you a new topic on configuring Temporary Access Pass TAP for your users. In today’s enterprise environments, security and seamless access to corporate data are becoming challenging. Microsoft Entra ID provides several innovative solutions to balance security and user experience.
One such feature is the Temporary Access Pass (TAP). It is a game changer in simplifying authentication methods, helpful in a password-less environment, and making life easy for many IT teams. It is gaining more popularity for scenarios where users must reset their Multi-Factor Authentication(MFA) and passwords in a streamlined process. In this article, we will discuss how to enable and configure a TAP for users.
A Temporary Access Pass (TAP) is a time-bound or time-limited passcode that can be configured for single-use or multi-use. It is designed to help users onboard and recover access to their accounts without requiring passwords. TAP can also be used as an authentication method when initiating a Windows Autopilot build for new users.
Since TAP is limited by time and usage, it minimizes risks associated with traditional password and provides administrators with a secure recovery methods. TAP can be configured to replace password with secure, flexible access.
Table of Contents
What Problem Does Temporary Access Pass Solves?
For any user and organisation, passwords are a real headache. People tend to forget their passwords and rely on the IT team to reset them. Using TAP, users easily reset their passwords as it enables access without requiring the password. Another problem it addresses is onboarding delays. By providing TAP, new hires can access without configuring MFA and password immediately.
- Samsung Knox API Deprecation Impacts Intune Settings for Android Device Administrator Managed Devices
- Block Password Manager on Google Chrome Browser using Microsoft Intune Policy Settings Catalog
Prerequisites
Now, we have learned what TAP is and where it can be used in organizations. TAP relies on Microsoft Entra ID configuration and security policies to function effectively. Let’s see below the key prerequisites for TAP before configuring or enabling it in your organization.
- License requirement: Microsoft Entra ID P1 or P2 licenses
- Access Requirements: In order to create TAP admin should have either Global Administrator or Authentication administrator roles assigned
Configure Temporary Access Pass In Microsoft Entra ID
Before allowing users to use Temporary Access Pass, as admin we need to create the policy and assign them as per the organizational requirement. Let’s see how we can create policies and assign them to the end users. Let’s see the steps below.
- Login to Entra Portal using your admin credentials
- Click on Protection -> Authentication Methods -> Policies
Now click on Temporary Access Pass, now click on Enable and Target and click on Enable. This will enable the policy and we can assign the TAP to all users or selected group of users. Now if you are doing POC or testing the TAP policies assign the policy to a test groups or POC groups.
You might be wondering where we are configuring the TAP as per our requirements. These settings are available under the Configure section. Click on Configure, here we can configure the TAP lifetime and usability.
By default, Intune provides you best required configurations for any organization. In case you need to change the values as per your requirements click on Edit. Before editing the values, let’s see what are the option available for us to configure in the below table and its default value.
| Configuration | Default Values | Use |
|---|---|---|
| Minimum lifetime | 1 hour | This value defines the minimum lifetime for TAP and it can be configure in minutes, hours and Days |
| Maximum lifetime: | 8 hour | This value define the Maximum lifetime for TAP and it can be configure in minutes, hours and Days |
| Default lifetime | 1 hour | We can also define default lifetime for TAP |
| One-time | False | When this value set to Yes, users can use TAP only for once, if set to NO users can use TAP multiple times |
| Length | 8 Characters | This value will define the length of the TAP (ideally use 8 characters) |
Now add the required configurations as per your organization requirements. You can use the default values, which are ideal for any organization. Once you configure the policies click on Save. At the bottom of the settings page, set the One-time value to No so that each time a Temporary Access Pass is created.
Now we have enabled the Temporary Access Pass policy in your organization. Now we need to create the TAP policy for an authorized user in Entra ID. This can be generated while creating an user account in Entra ID. Let’s see below how to create Temporary Access Pass for account in below section.
Create Temporary Access Pass for User Account
Temporary Access Pass can be created by logging into Entra ID with required privileges. As an Global Administrator and Privileged Authentication Administrator can create, view or delete Temporary Access Pass for administrators and members except for themselves. Let’s see how to create TAP in below steps
- Login to Entra Portal using your admin credentials
- Click on the Users –> All users –> Search for the user to whom you need to create the TAP
Now click on the user and click on Authentication method at the bottom. Here we will various Authentication methods for users, one of them is Temporary Access Pass.
Now click on Add Authentication Method, and from the chose method drop down select the Temporary Access Pass. We can configure the delayed start time, Activation duration and One-time use can be configured as per your organizational requirements.
Once configured copy the TAP and admin cannot view the tap once it is closed. You can provide this TAP to the users via email or any means as per your organizational source of communication. Admin will also shown the validity of TAP. Now users can login and reset the password using this TAP. Let’s see in next section.
User Experience
Once the user receives the TAP from your organizational admin, they have to login to My-sign page in order to set the password and authentication methods which you enforce to the user. Let’s see how user can set the password. I have created a new account for our demo purpose.
As soon user enter the email address user is asked for enter the Temporary Access Pass. User has to enter the TAP provided. Once the user enters the TAP, user will be authenticated and able to add the different sign in methods.
User also be prompted to change the password, and they will be able to set a new password. This will help admins to onboard the users remotely without requiring the users to visit the office to set the account during onboard propose.
Conclusion
Thus, Temporary Access Pass help organizations to onboard the users remotely. This will help organizations to cut down lot tickets that will be raised during onboard process. Hope you like the article. Let’s catch up in another day with another article.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
About Author – Narendra Kumar Malepati (Naren) has 12+ years of experience in IT, working on different MDM tools. Over the last seven years, Naren has been working on various features of Intune, including migration from different MDMs to Intune. Naren mainly focuses on Android, iOS, and MacOS.