Why might users receive "To sign in, you'll need a new Temporary Access Pass..." error on web sign-in attempt if TAP is disabled for the domain?

Jason Bradford 6 Reputation points

Our AAD (M365) is federated to Google as the SAML IdP. This was supporting users logging into their Win 10/11 laptops with Web Sign-in using their Google credentials. Recently, users are getting an error as soon as they enter their UPN "To sign in, you'll need a new Temporary Access Pass. Contact your admin to get one." which is pretty odd since TAP is disabled for our domain. What changed and how do I get web sign-in working again?

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
9,534 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
6,817 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
17,605 questions
0 comments No comments
{count} vote

3 answers

Sort by: Most helpful
  1. blastingbits 6 Reputation points

    I installed a new motherboard in a system and now getting this error on the users attempt to login to the system even though TAP is disabled on O365. The only way I can fix this issue is disconnecting and reconnecting AAD. I've had this issue before TAP was forced upon us and the user can just login as usual. Now I have to spend a half hour rebuilding the users profile. Not a fan of this feature that is supposedly in private preview and turned OFF on my tenant.

    1 person found this answer helpful.

  2. Marilee Turscak-MSFT 29,856 Reputation points Microsoft Employee

    Hi @Jason Bradford ,

    I understand that your users are being prompted to enter a Temporary Access Pass even though you have TAP disabled for your domain.

    I assume that you have already confirmed that it is disabled in the two portal settings:

    Azure Active Directory >Security > Authentication methods >Temporary Access Pass > No
    Portal.azure.com > User >Authentication method >Temporary Access Pass

    These documents indicate that windows 10 web sign-in enables temporary access pass from the endpoint manager in Intune:

    Policy CSP - Authentication - Windows Client Management | Microsoft Learn

    Enabling web sign-in to Windows for usage with Temporary Access Pass – All about Microsoft Endpoint Manager (petervanderwoude.nl)

    It seems that the prompt for the TAP is enabled through Intune via web sign-in, but I have reached out to the product team to confirm as I have seen a number of users reporting this lately.

    0 comments No comments

  3. Marilee Turscak-MSFT 29,856 Reputation points Microsoft Employee

    I got confirmation from the product team that we only support Web Sign-in with TAP. Web sign-in without tap is in private preview so there is no support for it at this point. https://learn.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1809#web-sign-in-to-windows-10