I installed a new motherboard in a system and now getting this error on the users attempt to login to the system even though TAP is disabled on O365. The only way I can fix this issue is disconnecting and reconnecting AAD. I've had this issue before TAP was forced upon us and the user can just login as usual. Now I have to spend a half hour rebuilding the users profile. Not a fan of this feature that is supposedly in private preview and turned OFF on my tenant.
Why might users receive "To sign in, you'll need a new Temporary Access Pass..." error on web sign-in attempt if TAP is disabled for the domain?
Our AAD (M365) is federated to Google as the SAML IdP. This was supporting users logging into their Win 10/11 laptops with Web Sign-in using their Google credentials. Recently, users are getting an error as soon as they enter their UPN "To sign in, you'll need a new Temporary Access Pass. Contact your admin to get one." which is pretty odd since TAP is disabled for our domain. What changed and how do I get web sign-in working again?
4 answers
Sort by: Most helpful
-
-
Marilee Turscak-MSFT 36,846 Reputation points Microsoft Employee
2022-04-01T21:54:02.86+00:00 Hi @Jason Bradford ,
I understand that your users are being prompted to enter a Temporary Access Pass even though you have TAP disabled for your domain.
I assume that you have already confirmed that it is disabled in the two portal settings:
Azure Active Directory >Security > Authentication methods >Temporary Access Pass > No
Portal.azure.com > User >Authentication method >Temporary Access PassThese documents indicate that windows 10 web sign-in enables temporary access pass from the endpoint manager in Intune:
Policy CSP - Authentication - Windows Client Management | Microsoft Learn
It seems that the prompt for the TAP is enabled through Intune via web sign-in, but I have reached out to the product team to confirm as I have seen a number of users reporting this lately.
-
Marilee Turscak-MSFT 36,846 Reputation points Microsoft Employee
2022-04-01T22:00:06.12+00:00 I got confirmation from the product team that we only support Web Sign-in with TAP. Web sign-in without tap is in private preview so there is no support for it at this point. https://learn.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1809#web-sign-in-to-windows-10
-
Jan-Willem 0 Reputation points
2024-02-16T08:09:33.13+00:00 Is this still in preview? We have the same config as above. TAP is disabled and passwordless is configured. For some users it's working, for some they get the tap error and one is even asked to enter his password (even when disabling en re-enabling passwordless in Authenticator app).