Hi @alippiatt ,
Thanks for your post and apologies for the delayed response! During the Azure AD Join setup, users can authenticate with a TAP (no password required) and set up Windows Hello for Business.
On already Azure AD Joined devices, users must first authenticate with another method such as a password, smartcard or FIDO2 key, before using TAP to set up Windows Hello for Business.
This is documented here:
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-temporary-access-pass#windows-device-setup
-
If the answer provided was helpful to you, please remember to "mark as answer" so that others in the community with similar questions can more easily find a solution.