![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 76%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 92%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Entra ID currently scopes Temporary Access Pass (TAP) creation by admin role, not by manager/reporting hierarchy. The documented model is:
- TAP must be enabled via the Temporary Access Pass policy in the Authentication methods policy.
- TAPs are created for users by specific admin roles:
- Privileged Authentication Administrator – can create/delete/view TAP for admins and members (except themselves).
- Authentication Administrator – can create/delete/view TAP for members (except themselves).
- Authentication Policy Administrator – manages the TAP policy itself.
There is no configuration in the provided documentation that allows delegating TAP creation to “managers only for their direct/indirect reports” based on the organizational hierarchy.
For onboarding scenarios where initial credentials or passwordless bootstrapping must be delegated, the documented guidance instead points to:
- Using Lifecycle Workflows with the task “Generate Temporary Access Pass and send via email to user's manager” as part of an automated process for users synchronized from AD DS. In this model, the workflow (running under appropriate admin context) generates the TAP and sends it to the manager, but the manager does not hold the TAP creation permission; the workflow does.
- Alternatively, admins can generate TAPs via:
- Entra admin center: Entra ID → Users → user → Authentication methods → Add authentication method → Temporary Access Pass.
- Microsoft Graph PowerShell using
New-MgUserAuthenticationTemporaryAccessPassMethodas described in the TAP documentation.
Given the available information, the recommended approach to meet the business goal (manager shares TAP with reportee) while respecting Entra’s permission model is:
- Enable TAP policy in Entra ID with appropriate lifetime, one-time-use, and length settings.
- Use Lifecycle Workflows (or another automated provisioning/orchestration layer) to:
- Detect new users (for example, created via HR-driven provisioning or inbound provisioning).
- Run the “Generate Temporary Access Pass and send via email to user's manager” task so the TAP is automatically created by the workflow and delivered to the manager.
- Keep TAP creation rights restricted to the appropriate admin roles; do not attempt to grant TAP creation directly to managers based on hierarchy, as this is not described as a supported scoping mechanism.
This design enforces that:
- Only centrally controlled workflows/admins can create TAPs.
- Managers receive TAPs only for their own reportees (as driven by the workflow logic and HR data), not for users outside their hierarchy.
References:
- Configure Temporary Access Pass to register passwordless authentication methods
- Create a Temporary Access Pass
- Managing users synchronized from Active Directory Domain Services to Microsoft Entra ID with Lifecycle workflows
- Plan deploying Microsoft Entra for user provisioning with SAP source and target apps
- Configure CMMC Level 2 Identification and Authentication (IA) controls