Configure Temporary Access Pass to register passwordless authentication methods

Passwordless authentication methods, such as FIDO2 and passwordless phone sign-in through the Microsoft Authenticator app, enable users to sign in securely without a password.

Users can bootstrap passwordless methods in one of two ways:

  • Use existing Microsoft Entra multifactor authentication methods
  • Use a Temporary Access Pass

A Temporary Access Pass (TAP) is a time-limited passcode that can be configured for single use or multiple. Users can sign in with a TAP to onboard other passwordless authentication methods, such as Microsoft Authenticator, FIDO2 and Windows Hello for Business.

A TAP also makes recovery easier when a user has lost or forgotten their strong authentication factor like a FIDO2 security key or Microsoft Authenticator app, but needs to sign in to register new strong authentication methods.

This article shows you how to enable and use a TAP using the Microsoft Entra admin center. You can also perform these actions using REST APIs.

Enable the Temporary Access Pass policy

A TAP policy defines settings, such as the lifetime of passes created in the tenant, or the users and groups who can use a TAP to sign-in.

Before users can sign-in with a TAP, you need to enable this method in the authentication method policy and choose which users and groups can sign in by using a TAP.

Although you can create a TAP for any user, only users included in the policy can sign-in with it. Only Global Admin and Authentication Policy Admin roles can update the TAP authentication method policy.

To configure the TAP authentication method policy:

  1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.

  2. Browse to Protection > Authentication methods > Policies.

  3. From the list of available authentication methods, select Temporary Access Pass.

    Screenshot of how to manage Temporary Access Pass within the authentication method policy experience.

  4. Click Enable and then select users to include or exclude from the policy.

    Screenshot of how to enable the Temporary Access Pass authentication method policy.

  5. (Optional) Select Configure to modify the default Temporary Access Pass settings, such as setting maximum lifetime, or length, and click Update.

    Screenshot of how to customize the settings for Temporary Access Pass.

  6. Select Save to apply the policy.

    The default value and the range of allowed values are described in the following table.

    Setting Default values Allowed values Comments
    Minimum lifetime 1 hour 10 – 43,200 Minutes (30 days) Minimum number of minutes that the TAP is valid.
    Maximum lifetime 8 hours 10 – 43,200 Minutes (30 days) Maximum number of minutes that the TAP is valid.
    Default lifetime 1 hour 10 – 43,200 Minutes (30 days) Individual passes within the minimum and maximum lifetime configured by the policy can override default value.
    One-time use False True/False When the policy is set to false, passes in the tenant can be used either once or more than once during its validity (maximum lifetime). By enforcing one-time use in the TAP policy, all passes created in the tenant are one-time use.
    Length 8 8-48 characters Defines the length of the passcode.

Create a Temporary Access Pass

After you enable a TAP policy, you can create TAPs for users in Microsoft Entra ID. These following roles can perform various actions related to a TAP.

  • Global Administrators can create, delete, and view a TAP for any user (except themselves).
  • Privileged Authentication Administrators can create, delete, and view a TAP for admins and members (except themselves).
  • Authentication Administrators can create, delete, and view a TAP for members (except themselves).
  • Global Readers can view TAP details for the user (without reading the code itself).
  1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.

  2. Browse to Identity > Users.

  3. Select the user you would like to create a TAP for.

  4. Select Authentication methods and click Add authentication method.

    Screenshot of how to create a Temporary Access Pass.

  5. Select Temporary Access Pass.

  6. Define a custom activation time or duration and select Add.

    Screenshot of adding a method - Temporary Access Pass.

  7. Once added, the details of the TAP are shown.

    Important

    Make a note of the actual TAP value, as you will provide this value to the user. You can't view this value after you select Ok.

    Screenshot of Temporary Access Pass details.

  8. Select OK when you're done.

The following commands show how to create and get a TAP using PowerShell.

# Create a Temporary Access Pass for a user
$properties = @{}
$properties.isUsableOnce = $True
$properties.startDateTime = '2022-05-23 06:00:00'
$propertiesJSON = $properties | ConvertTo-Json

New-MgUserAuthenticationTemporaryAccessPassMethod -UserId user2@contoso.com -BodyParameter $propertiesJSON

Id                                   CreatedDateTime       IsUsable IsUsableOnce LifetimeInMinutes MethodUsabilityReason StartDateTime         TemporaryAccessPass
--                                   ---------------       -------- ------------ ----------------- --------------------- -------------         -------------------
c5dbd20a-8b8f-4791-a23f-488fcbde3b38 5/22/2022 11:19:17 PM False    True         60                NotYetValid           23/05/2022 6:00:00 AM TAPRocks!

# Get a user's Temporary Access Pass
Get-MgUserAuthenticationTemporaryAccessPassMethod -UserId user3@contoso.com

Id                                   CreatedDateTime       IsUsable IsUsableOnce LifetimeInMinutes MethodUsabilityReason StartDateTime         TemporaryAccessPass
--                                   ---------------       -------- ------------ ----------------- --------------------- -------------         -------------------
c5dbd20a-8b8f-4791-a23f-488fcbde3b38 5/22/2022 11:19:17 PM False    True         60                NotYetValid           23/05/2022 6:00:00 AM

For more information, see New-MgUserAuthenticationTemporaryAccessPassMethod and Get-MgUserAuthenticationTemporaryAccessPassMethod.

Use a Temporary Access Pass

The most common use for a TAP is for a user to register authentication details during the first sign-in or device setup, without the need to complete extra security prompts. Authentication methods are registered at https://aka.ms/mysecurityinfo. Users can also update existing authentication methods here.

  1. Open a web browser to https://aka.ms/mysecurityinfo.

  2. Enter the UPN of the account you created the TAP for, such as tapuser@contoso.com.

  3. If the user is included in the TAP policy, they see a screen to enter their TAP.

  4. Enter the TAP that was displayed in the Microsoft Entra admin center.

    Screenshot of how to enter a Temporary Access Pass.

Note

For federated domains, a TAP is preferred over federation. A user with a TAP completes the authentication in Microsoft Entra ID and isn't redirected to the federated Identity Provider (IdP).

The user is now signed in and can update or register a method such as FIDO2 security key.

Users who update their authentication methods due to losing their credentials or device should make sure they remove the old authentication methods.

Users can also continue to sign-in by using their password; a TAP doesn’t replace a user’s password.

User management of Temporary Access Pass

Users managing their security information at https://aka.ms/mysecurityinfo see an entry for the Temporary Access Pass. If a user does not have any other registered methods, they get a banner at the top of the screen that says to add a new sign-in method. Users can also see the TAP expiration time, and delete the TAP if it's no longer needed.

Screenshot of how users can manage a Temporary Access Pass in My Security Info..

Windows device setup

Users with a TAP can navigate the setup process on Windows 10 and 11 to perform device join operations and configure Windows Hello for Business. TAP usage for setting up Windows Hello for Business varies based on the devices joined state.

For joined devices to Microsoft Entra ID:

  • During the domain-join setup process, users can authenticate with a TAP (no password required) to join the device and register Windows Hello for Business.
  • On already-joined devices, users must first authenticate with another method such as a password, smartcard or FIDO2 key, before using TAP to set up Windows Hello for Business.
  • If the Web sign-in feature on Windows is also enabled, the user can use TAP to sign into the device. This is intended only for completing initial device setup, or recovery when the user doesn't know or have a password.

For hybrid-joined devices, users must first authenticate with another method such as a password, smartcard or FIDO2 key, before using TAP to set up Windows Hello for Business.

Screenshot of how to enter Temporary Access Pass when setting up Windows.

Passwordless phone sign-in

Users can also use their TAP to register for passwordless phone sign-in directly from the Authenticator app.

For more information, see Add your work or school account to the Microsoft Authenticator app.

Screenshot of how to enter a Temporary Access Pass using work or school account.

Guest access

Guest users can sign-in to a resource tenant with a TAP that was issued by their home tenant if the TAP meets the home tenant authentication requirement.

If multifactor authentication (MFA) is required for the resource tenant, the guest user needs to perform MFA in order to gain access to the resource.

Expiration

An expired or deleted TAP can’t be used for interactive or non-interactive authentication.

Users need to reauthenticate with different authentication methods after the TAP is expired or deleted.

The token lifetime (session token, refresh token, access token, and so on) obtained by using a TAP login is limited to the TAP lifetime. When a TAP expires, it leads to the expiration of the associated token.

Delete an expired Temporary Access Pass

Under the Authentication methods for a user, the Detail column shows when the TAP expired. You can delete an expired TAP using the following steps:

  1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.
  2. Browse to Identity > Users, select a user, such as Tap User, then choose Authentication methods.
  3. On the right-hand side of the Temporary Access Pass authentication method shown in the list, select Delete.

You can also use PowerShell:

# Remove a user's Temporary Access Pass
Remove-MgUserAuthenticationTemporaryAccessPassMethod -UserId user3@contoso.com -TemporaryAccessPassAuthenticationMethodId c5dbd20a-8b8f-4791-a23f-488fcbde3b38

For more information, see Remove-MgUserAuthenticationTemporaryAccessPassMethod.

Replace a Temporary Access Pass

  • Each user can only have one TAP. The passcode can be used during the start and end time of the TAP.
  • If a user requires a new TAP:
    • If the existing TAP is valid, the admin can create a new TAP to override the existing valid TAP.
    • If the existing TAP has expired, a new TAP will override the existing TAP.

For more information about NIST standards for onboarding and recovery, see NIST Special Publication 800-63A.

Limitations

Keep these limitations in mind:

  • When using a one-time TAP to register a passwordless method such as a FIDO2 security key or phone sign-in, the user must complete the registration within 10 minutes of sign-in with the one-time TAP. This limitation doesn't apply to a TAP that can be used more than once.
  • Users in scope for self service password reset (SSPR) registration policy or Identity Protection multifactor authentication registration policy are required to register authentication methods after they've signed in with a TAP using a browser. Users in scope for these policies are redirected to the Interrupt mode of the combined registration. This experience doesn't currently support FIDO2 and phone sign-in registration.
  • A TAP can't be used with the Network Policy Server (NPS) extension and Active Directory Federation Services (AD FS) adapter.
  • It can take a few minutes for changes to replicate. Because of this, after a TAP is added to an account, it can take a while for the prompt to appear. For the same reason, after a TAP expires, users may still see a prompt for TAP.

Troubleshooting

  • If a TAP isn't offered to a user during sign-in:
    • Make sure the user is in scope for the TAP authentication method policy.
    • Make sure the user has a valid TAP, and if it's one-time use, it wasn’t used yet.
  • If Temporary Access Pass sign in was blocked due to User Credential Policy appears during sign-in with a TAP:
    • Make sure the user doesn't have a multi-use TAP while the authentication method policy requires a one-time TAP.
    • Check if a one-time TAP was already used.
  • If TAP sign-in was blocked due to User Credential Policy, check that the user is in scope for the TAP policy.

Next steps