Entra ID
      Back to home
      1. Sittadel Knowledge Base
      2. Azure Portals
      3. Entra ID

      Manage Temporary Access Pass (TAP)

      Use this operation to allow TAP as an authentication method for users, and how to create a TAP passcode for desired users after it is enabled.

      Role Requirements

      Procedure Scope: Administrators

      Required Group Membership: Admin.Security

      Handbook Reference

      Package: N/A

      Domain: N/A

      Modifies: N/A

      2024-12-17_9-49-52

      When to Perform this Operation

      As Needed: Proactive or in Response to User/Security

      Technical Description and Importance

      Enabling and issuing Temporary Access Pass (TAP) provides a controlled, time-limited sign-in option that admins can use to bootstrap secure access when a user lacks an existing factor (e.g., first-day setup, or when a device is lost).

      This guide shows an administrator how to first enable TAP as an authentication method in Entra ID, scoping it to their desired users or groups, and configure sensible defaults they deem fit for this policy (lifetime, one-time use, passcode length), then how to assign a TAP authentication method to a desired user from the user’s Authentication methods page housed within their User Profile, allowing the admin to define the validity window for the passcode and choose their desired channel to securely deliver the TAP passcode to the user.

      Implementing TAP in this way creates a predictable, auditable path to register stronger, passwordless methods (such as passkeys or Microsoft Authenticator) without relaxing Conditional Access, reduces lockouts and helpdesk loops, and limits risk through short-lived, one-time credentials, clear role separation between policy configuration and issuance, and a single active TAP per user—supporting least privilege, operational clarity, and compliance with modern authentication standards.

      Management Options

      2024-12-17_10-15-21

      Enabling TAP as an Authentication Method:

      Purpose
      Turns on Temporary Access Pass (TAP) for selected users/groups with defined lifetime and restrictions.
      Use Case
      Prepare the tenant so admins can issue short-lived, one-time passes for onboarding or account recovery without existing MFA.

      Creating a Temporary Access Pass for a User:

      Purpose
      Generates a time-limited, one-time sign-in code for a specific user.
      Use Case
      A user who lost their phone signs in and registers a new strong method (e.g., passkey or Microsoft Authenticator).

      Enabling TAP as an Authentication Method

      1. Navigate to the Authentication Policies – Entra ID portal, here we will want to locate and select the Temporary Access Pass authentication method entry.

      2. Once inside of the policy we will want to ensure that the method is toggled to the Enabled state, and that the Target enforcement scope is defined. Once these items have been defined select Save to finalize the policy enablement and availability.
      3. If desired, you can select the Configure tab which will allow you to modify the default Temporary Access Pass settings to fit your needs. Within this section you can select the Edit button and configure custom timeframes for settings such as maximum lifetime, or length and specify if you want this TAP to multi-use or single use. Once you have configured your desired settings select Update to store these new values followed by selecting Save to finalize these changes.

        Tip: Minimum, Maximum and Default Lifetime can be configured for a max value of 59 minutes, 23 hours, or 30 days and the maximum length of a passcode can be 48 characters.

      Create a Temporary Access Pass for a User

      1. Navigate to the Users – Entra ID portal, here we will want to locate and select the desired User we want to create a Temporary Access Pass (TAP) for. Leverage the search bar if the desired user is not immediately listed.

        Tip: The target enforcement scope you specified in the section above will impact which Users can have TAP created for them, if all users was specified you can select any user and follow the steps below to create a TAP; if only a specific group was specified only users listed as members within that group can have a TAP created for them.

      2. From the Overview page of the selected User Profile, we will want to select the Authentication methods tab. From this new page we will want to select the + Add authentication methods action. From the generated pop-out we will want to select the Choose Method dropdown followed by selecting Temporary Access Pass. Here you will be able to customize the default values that were specified during the Authentication Method configuration above. Select Add to finalize the TAP creation for this User.
      3. Once the TAP has been added, the details of the TAP will be displayed. Make sure to capture the value listed under Provide Pass since this is the actual TAP value that will need to be provide to the user during their authentication phase for them to successfully fulfil the TAP authentication prompts. It will be up to you to decide the desired secure channel you deem fit to distribute this passcode through to the applicable user. Select Ok when you are done.

        Tip: You can't review this TAP value after you select Ok, so please be sure that you document the value under Provide Pass, unless you want to redo the steps above to recreate a new TAP if this value is forgotten. Also keep in mind once this TAP reaches its default time of life it will become invalid, and a new TAP will need to be created.

      Need Assistance?

      Reach out to your Customer Success Manager to discuss how a Sittadel cybersecurity analyst can assist in managing these tasks for you. New to our services? Inquire about arranging a consultation to explore optimizing your Azure environment for painless management.