Azure AD Hidden Gems. Azure AD Temporary Access Pass

Temporary Access Pass or TAP, is a cool Azure AD feature which is still in Preview, but I see huge wins if Microsoft put this in to general availability so that the IT admins can provide uninterupted security over user accounts.

In real life, users may forget to bring the mobile phone to office or maybe out of battery so they can’t get in to the Authenticator app to complete the MFA challange.

When a user fails to complete a strong authentication step such as FIDO2 or Multi Factor, Temporary Access Pass can deply to save the day.

In this way if the user doesnt have the ability to complete the strong authentication, IT doesn’t need to take them out from the MFA Conditinal Access Policy for an example. Users have the option of entering the re-usable or one-time TAP to get in.

How to activate TAP?

Go to https://aad.portal.azure.com/ > Azure Active Directory > Security > Authentication methods

Go to Policies > Temporary Access Pass (preview)

In TAP Settings, go to Basic tab and Enable the service

Go to Target and select the users. Please mind me for my love of Star Wars (the users I mean) 🙂

Save the section

Go to Configure tab and set the below if required.

And that’s the setup part. Pretty easy stuff right?


Configure TAP to a selected user

Go to one of the users you added to the policy in the previous step.

Go to Authentication Methods > Enable the new experience page if you haven’t done that yet

Once its done, click on Add Authentiction Method

Select Temp. Acess Pass (preview) option

Configure the settings on how you want the TAP to be

If you don’t want the TAP to activate immediately, select the Delayed Start Time option and set the date and time (shown below)

Press Add and you will get the completion page with the pass. Take a not of the pass.

And that’s it. Now the user has TAP activated.


Test the TAP

Now that the option is activated, hand over the passcode to the user.

Users have the option to go to https://aka.ms/mysecurityinfo to register security info such as a new phone number, new device for multi factor authentication so they can continue using strong authentication.

Now, when the users are presented with the M365 login page to enter their email address and the password, they will now see the option Use your Temporary access pass instead as soon as they enter the email and press enter.

Click on that link without enteringt the password

It willl open the below page

And the user is in!


Final Words

For security purposes this can be setup for one time use as this bypasses the strong authentication methods, but temporarily. Its advisable to setup a lower activation duration.


With this, admins can safely enable the pass without hindering the overall security posture to take out users from Conditinal Access Policies that may lead to “oh I forgot to add the user back” or “the user preferred not to use MFA” kind of exuces.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.