Systems Admin

Configure Temporary Access Pass (TAP) in Microsoft Entra ID

4 min read Part of pathway: Microsoft Entra ID Security

A Temporary Access Pass (TAP) is a time-limited passcode an admin issues to a user that lets them sign in without their password or existing MFA. Two main use cases: onboarding new employees (set up Authenticator on day one without a static password handoff) and lost-device recovery (user locked out of MFA, needs to register a new device). The end-state of a TAP is always: user signs in with TAP → registers a permanent passwordless method → TAP gets deleted.

Phase 1 — enable the TAP policy

Entra admin centre Authentication methods > Policies page with Temporary Access Pass selected from the list of methods” /><figcaption>Phase 1: <a href=entra.microsoft.com > Authentication methods > Policies > Temporary Access Pass.

Sign in as Authentication Policy Administrator (or Global Admin). Authentication methods > Policies > Temporary Access Pass.

TAP policy enable toggle being turned on with All users selected as the target scope
Toggle Enable. Target: All users (or scope to a group).

Toggle Enable. Target: All users (or scope to a specific group like “new hires”).

TAP Configure tab with Edit dialog showing length, lifetime, one-time use settings, ready to Update and Save
Configure tab > Edit. Length 8–48, lifetime 10 min–30 days, One-time use recommended. Update > Save.

Configure tab > Edit. Settings:

  • Length: 8–48 characters (8 is fine for short-lived; longer for printed/mailed)
  • Maximum lifetime: 10 minutes – 30 days
  • One-time use: tick this for high security — the TAP works once and is dead

Update > Save.

Phase 2 — generate a TAP for a user

Users > jdoe > Authentication methods page with Add authentication method dropdown showing Temporary Access Pass option” /><figcaption>Phase 2: Users > All users > jdoe > <strong>Authentication methods</strong> > + Add authentication method > <strong>Temporary Access Pass</strong>. Optional: delayed start time. Add.</figcaption></figure> <p>Users > All users > click the user (jdoe) > <strong>Authentication methods</strong>.</p> <p>+ Add authentication method > <strong>Temporary Access Pass</strong>. Optional: delayed start time (generate Friday for a Monday onboarding). Click Add.</p> <figure class=Generated TAP passcode displayed on screen with the warning that this is the only time the passcode will be visible
COPY THE PASSCODE NOW. Once you close this window, the passcode is gone forever. Treat like an OTP.

COPY THE PASSCODE IMMEDIATELY. The screen shows it once. Close the window without copying = passcode gone forever. You’ll have to delete and regenerate.

Treat the passcode like an OTP — high-trust, short-lived, one-shot. Send to the user via a secure channel (Signal, password manager, in-person handoff). Don’t email it.

Phase 3 — user signs in with the TAP

Incognito browser at aka.ms/mysecurityinfo with the test user UPN being entered as the username
Phase 3: incognito browser > aka.ms/mysecurityinfo > enter the user’s UPN > Next.

User opens incognito browser > aka.ms/mysecurityinfo > enters their UPN > Next.

Sign-in flow showing Temporary Access Pass prompt instead of password, with the copied TAP passcode being pasted
Instead of a password prompt: Temporary Access Pass field. Paste > Sign in.

Instead of a password prompt: Temporary Access Pass field. Paste the passcode > Sign in.

Successful sign-in landing on My Sign-Ins page where the user can register a permanent passwordless method
Logged in. User can now register Microsoft Authenticator or FIDO2 from this page.

Logged in. From My Sign-Ins, the user can register Microsoft Authenticator, FIDO2 security key, Windows Hello, etc. — their permanent passwordless method.

Phase 4 — delete the TAP (optional but recommended)

Authentication methods page with the active TAP listed and the three-dot menu open with Delete option to revoke after registration completes
Phase 4 (optional): once user has registered Authenticator, delete the TAP — Auth methods > ... > Delete > Yes.

Once the user has a permanent method registered, delete the TAP. Users > jdoe > Authentication methods > find the TAP entry > ... > Delete > Yes.

If you set One-time use, this is automatic after the first sign-in. If not, manual delete keeps your auth surface clean.

Things that bite people

Lost the passcode

Most common mistake. Closed the window before copying. No way to recover — delete the entry and generate a new one.

Sent the TAP via email

Don’t. Email is plaintext, often archived, often forwarded. Use Signal, in-person, or a one-time-share password manager link.

Configured TAP for a user with an active password

TAP works alongside passwords by default — users can use either. For new hires you usually also want to disable their password login until they’ve set up Authenticator. Combine with Conditional Access blocking password authentication for that user group.

One-time use disabled and TAP shared

If the user shares their TAP with a colleague (don’t laugh, it happens), and One-time use is off, both can sign in. Always enable One-time use for production.

Delayed start gotcha

Set start time in admin’s timezone, but the user signs in from a different timezone. Document the start time in UTC to avoid confusion.

What’s next

TAP is the bridge to passwordless. The next post in the Entra ID Security pathway covers SMS-based sign-in (an alternative for users without smartphones), then full passwordless setup.

Tags: #Authentication Methods #Microsoft Entra ID #Onboarding #Passwordless #Tap

Leave a Reply