Entra ID
      Back to home
      1. Sittadel Knowledge Base
      2. Azure Portals
      3. Entra ID

      User Login - Sign-in Using TAP

      Use this operation to show users how to leverage TAP as an authentication method for Microsoft Portal and Device Login access.

      Role Requirements

      Procedure Scope: Users

      Required Group Membership: N/A

      Handbook Reference

      Package: N/A

      Domain: N/A

      Modifies: N/A

      2024-12-17_9-49-52

      When to Perform this Operation

      As Needed: In Response to Admin Fulfillment

      Technical Description and Importance

      Using a Temporary Access Pass (TAP) lets you securely sign in and set up or restore your approved sign-in methods when your usual factor or password isn’t available. With a TAP your admin has provided, you can complete first-time registration, recover after a lost or replaced phone, handle phone-number changes when SMS/voice codes don’t work, re-enroll Microsoft Authenticator or a security key after a reset, finish sign-in on a new Windows device during setup, or regain access after an account lockout. Because TAP is short-lived (and may be one-time), it limits risk while enabling you to quickly enroll stronger, phishing-resistant methods so you can get back to work without loosening security policies. Use your TAP promptly, keep it private, and finish registering your permanent sign-in methods right away.

      Management Options

      2024-12-17_10-15-21

      Logging into Microsoft Portals with TAP

      Purpose
      Allow you to sign in to Microsoft web portals (e.g., Microsoft 365, My Sign-Ins) when your usual password/MFA isn’t available.
      Use Case
      Use the TAP code your admin gave you to access mysecurityinfo and immediately register or restore your approved methods (Microsoft Authenticator, passkeys) so you can get back into apps like Outlook and Teams.

      Logging into Device with TAP

      Purpose
      Let you sign in on a Windows device during setup or first sign-in when you don’t have a working factor yet (sign-ins require web sign-in to be configured for your device).
      Use Case
      On a new or reimaged, Entra-joined device, enter your TAP code to complete sign-in, then set up Microsoft Authenticator or a security key so normal sign-ins work going forward.

      Logging into Microsoft Portals with TAP

      1. Access a desired Microsoft portal, if an administrator in your environment has fulfilled your request to set up a Temporary Access Pass (TAP) credential for your account, you should be able to initiate a sign-in action in a portal and provide your company email address to initiate the process. Select Next to continue.

        Note: Keep in mind that your administrator should have captured the actual TAP passcode within the configuration step for you account and they should have distributed this passcode to you prior to initiating the sign-in. If you don’t have the passcode prior to carrying out this step, please notify your administrator since you will not be able to continue until you can satisfy the TAP prompt.

      2. You will be prompted to provide the TAP passcode that was generated by your administrator, upload the passcode that should have been distributed by your admin and select Sign in to continue.
      3. After fulfilling the TAP authentication prompt, you should be given access to the resource you were attempting to access.

      Logging into Device with TAP

      TAP can only be leveraged on a device for Users that have web-sign in configured as a allowed method to authenticate. If this is not in place in your environment, this is not applicable, and TAP will only be usable for authenticating into Microsoft Resources Portals.

      1. On the login screen for your device, if you wish to leverage TAP for device authentication the only way to do this is to select the web sign-in authentication option (the globe icon when the Sign-in options list is expanded) followed by selecting Sign in.
      2. This should open a web session that will ask you to provide a form of authentication to proceed. If an Administrator has configured a TAP authentication method for your account, the authentication prompt should default to you supplying the TAP passcode which should have already been distributed to you by your administrator.

        Note: If you don’t have the passcode prior to carrying out this step, please notify your administrator since you will not be able to continue until you can satisfy the TAP prompt.

      3. Once you have successfully fulfilled the TAP authentication prompts, you should be granted access to your device.

      Need Assistance?

      Reach out to your Customer Success Manager to discuss how a Sittadel cybersecurity analyst can assist in managing these tasks for you. New to our services? Inquire about arranging a consultation to explore optimizing your Azure environment for painless management.