Share via

Why might users receive "To sign in, you'll need a new Temporary Access Pass..." error on web sign-in attempt if TAP is disabled for the domain?

Jason Bradford 6 Reputation points
2022-03-28T22:02:47.067+00:00

Our AAD (M365) is federated to Google as the SAML IdP. This was supporting users logging into their Win 10/11 laptops with Web Sign-in using their Google credentials. Recently, users are getting an error as soon as they enter their UPN "To sign in, you'll need a new Temporary Access Pass. Contact your admin to get one." which is pretty odd since TAP is disabled for our domain. What changed and how do I get web sign-in working again?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Windows for business | Windows Client for IT Pros | User experience | Other
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. blastingbits 6 Reputation points
    2022-07-12T14:06:04.71+00:00

    I installed a new motherboard in a system and now getting this error on the users attempt to login to the system even though TAP is disabled on O365. The only way I can fix this issue is disconnecting and reconnecting AAD. I've had this issue before TAP was forced upon us and the user can just login as usual. Now I have to spend a half hour rebuilding the users profile. Not a fan of this feature that is supposedly in private preview and turned OFF on my tenant.

    Was this answer helpful?

    1 person found this answer helpful.
  2. Jan-Willem 0 Reputation points
    2024-02-16T08:09:33.13+00:00

    Is this still in preview? We have the same config as above. TAP is disabled and passwordless is configured. For some users it's working, for some they get the tap error and one is even asked to enter his password (even when disabling en re-enabling passwordless in Authenticator app).

    Was this answer helpful?

  3. Marilee Turscak-MSFT 37,386 Reputation points Microsoft Employee Moderator
    2022-04-01T22:00:06.12+00:00

    I got confirmation from the product team that we only support Web Sign-in with TAP. Web sign-in without tap is in private preview so there is no support for it at this point. https://learn.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1809#web-sign-in-to-windows-10

    Was this answer helpful?

  4. Marilee Turscak-MSFT 37,386 Reputation points Microsoft Employee Moderator
    2022-04-01T21:54:02.86+00:00

    Hi @Jason Bradford ,

    I understand that your users are being prompted to enter a Temporary Access Pass even though you have TAP disabled for your domain.

    I assume that you have already confirmed that it is disabled in the two portal settings:

    Azure Active Directory >Security > Authentication methods >Temporary Access Pass > No
    Portal.azure.com > User >Authentication method >Temporary Access Pass

    These documents indicate that windows 10 web sign-in enables temporary access pass from the endpoint manager in Intune:

    Policy CSP - Authentication - Windows Client Management | Microsoft Learn

    Enabling web sign-in to Windows for usage with Temporary Access Pass – All about Microsoft Endpoint Manager (petervanderwoude.nl)

    It seems that the prompt for the TAP is enabled through Intune via web sign-in, but I have reached out to the product team to confirm as I have seen a number of users reporting this lately.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.