Select the Configure tab and click the Edit button.
Configure your desired settings in the right-hand sidebar that pops up. Note the options for Require one-time use and Length (8-48 characters). The character set cannot be changed and includes both alphanumeric & special characters.
When done, click the Update button at the bottom.
Using a TAP
Login to the Azure AD portal as either a Global Administrator, Privileged Authentication Administrator, or Authentication Administrator.
Navigate to a user’s details page and select Authentication Methods
Click Add authentication method at the top (opt to switch to the “new experience” if it’s not available at first)
For method, select Temporary Access Pass, then Add
Specify options as desired. You’re able to delay the start time for up to 30 days if you so choose.
Click Add
A resulting page with the TAP will show that can be shared with the user along with a URL the user can use to configure their MFA options. Note the warning to remove old devices from the user’s account and take action as needed.
Any web sign-in will now have the option to use a Temporary Access Pass for the duration of the pass’s validity.
A TAP will no longer be valid once it either ages beyond its expiration OR is used with the One-time option enabled. A new TAP can be created whether or not one already exists or is valid. The new one will simply replace the old one. No two TAPs can exist for the same user at the same time, so be certain you want to overwrite any existing one that’s still valid.
The Temporary Access Pass policy must be enabled in order for user logins to be presented with the option. With the exception of which group the policy targets, the policy must also be enabled before any parameters (such as validity period) can be configured.
A TAP will NOT work for Windows logon unless web sign-in has been enabled for logon on the workstation.
A user may have the option to use a TAP minutes after expiration or deletion of the TAP. This is due to the delay in replication within Azure AD.
Configuring the TAP policy
To use a Temporary Access Pass, users have to be assigned a policy enabling use of it.
Login to the Azure AD portal as either a Global Administrator or an Authentication Policy Administrator.
In the menu, navigate to Security, then Authentication Methods, and select Temporary Access Pass.
Enable the policy for a selected group of users (or All users) and save the policy.
Select the Configure tab and click the Edit button.
Configure your desired settings in the right-hand sidebar that pops up. Note the options for Require one-time use and Length (8-48 characters). The character set cannot be changed and includes both alphanumeric & special characters.
When done, click the Update button at the bottom.
Using a TAP
Login to the Azure AD portal as either a Global Administrator, Privileged Authentication Administrator, or Authentication Administrator.
Navigate to a user’s details page and select Authentication Methods
Click Add authentication method at the top (opt to switch to the “new experience” if it’s not available at first)
For method, select Temporary Access Pass, then Add
Specify options as desired. You’re able to delay the start time for up to 30 days if you so choose.
Click Add
A resulting page with the TAP will show that can be shared with the user along with a URL the user can use to configure their MFA options. Note the warning to remove old devices from the user’s account and take action as needed.
Any web sign-in will now have the option to use a Temporary Access Pass for the duration of the pass’s validity.
A TAP will no longer be valid once it either ages beyond its expiration OR is used with the One-time option enabled. A new TAP can be created whether or not one already exists or is valid. The new one will simply replace the old one. No two TAPs can exist for the same user at the same time, so be certain you want to overwrite any existing one that’s still valid.
A Temporary Access Pass (TAP) is an option available in Azure Active Directory which can be used to temporarily bypass a user’s MFA requirement. It is recognized as an MFA method and can be used in place of other methods. This is useful for a few scenarios:
The user cannot use any of their existing MFA methods
A new device needs to be configured for the user without interaction from the user but with MFA (especially a new user)
Access to the user account is required as a last resort such that the user’s password is not changed
Select the Configure tab and click the Edit button.
Configure your desired settings in the right-hand sidebar that pops up. Note the options for Require one-time use and Length (8-48 characters). The character set cannot be changed and includes both alphanumeric & special characters.
When done, click the Update button at the bottom.
Using a TAP
Login to the Azure AD portal as either a Global Administrator, Privileged Authentication Administrator, or Authentication Administrator.
Navigate to a user’s details page and select Authentication Methods
Click Add authentication method at the top (opt to switch to the “new experience” if it’s not available at first)
For method, select Temporary Access Pass, then Add
Specify options as desired. You’re able to delay the start time for up to 30 days if you so choose.
Click Add
A resulting page with the TAP will show that can be shared with the user along with a URL the user can use to configure their MFA options. Note the warning to remove old devices from the user’s account and take action as needed.
Any web sign-in will now have the option to use a Temporary Access Pass for the duration of the pass’s validity.
A TAP will no longer be valid once it either ages beyond its expiration OR is used with the One-time option enabled. A new TAP can be created whether or not one already exists or is valid. The new one will simply replace the old one. No two TAPs can exist for the same user at the same time, so be certain you want to overwrite any existing one that’s still valid.
To use a Temporary Access Pass, users have to be assigned a policy enabling use of it.
Login to the Azure AD portal as either a Global Administrator or an Authentication Policy Administrator.
In the menu, navigate to Security, then Authentication Methods, and select Temporary Access Pass.
Enable the policy for a selected group of users (or All users) and save the policy.
Select the Configure tab and click the Edit button.
Configure your desired settings in the right-hand sidebar that pops up. Note the options for Require one-time use and Length (8-48 characters). The character set cannot be changed and includes both alphanumeric & special characters.
When done, click the Update button at the bottom.
Using a TAP
Login to the Azure AD portal as either a Global Administrator, Privileged Authentication Administrator, or Authentication Administrator.
Navigate to a user’s details page and select Authentication Methods
Click Add authentication method at the top (opt to switch to the “new experience” if it’s not available at first)
For method, select Temporary Access Pass, then Add
Specify options as desired. You’re able to delay the start time for up to 30 days if you so choose.
Click Add
A resulting page with the TAP will show that can be shared with the user along with a URL the user can use to configure their MFA options. Note the warning to remove old devices from the user’s account and take action as needed.
Any web sign-in will now have the option to use a Temporary Access Pass for the duration of the pass’s validity.
A TAP will no longer be valid once it either ages beyond its expiration OR is used with the One-time option enabled. A new TAP can be created whether or not one already exists or is valid. The new one will simply replace the old one. No two TAPs can exist for the same user at the same time, so be certain you want to overwrite any existing one that’s still valid.
The Temporary Access Pass policy must be enabled in order for user logins to be presented with the option. With the exception of which group the policy targets, the policy must also be enabled before any parameters (such as validity period) can be configured.
A TAP will NOT work for Windows logon unless web sign-in has been enabled for logon on the workstation.
A user may have the option to use a TAP minutes after expiration or deletion of the TAP. This is due to the delay in replication within Azure AD.
Configuring the TAP policy
To use a Temporary Access Pass, users have to be assigned a policy enabling use of it.
Login to the Azure AD portal as either a Global Administrator or an Authentication Policy Administrator.
In the menu, navigate to Security, then Authentication Methods, and select Temporary Access Pass.
Enable the policy for a selected group of users (or All users) and save the policy.
Select the Configure tab and click the Edit button.
Configure your desired settings in the right-hand sidebar that pops up. Note the options for Require one-time use and Length (8-48 characters). The character set cannot be changed and includes both alphanumeric & special characters.
When done, click the Update button at the bottom.
Using a TAP
Login to the Azure AD portal as either a Global Administrator, Privileged Authentication Administrator, or Authentication Administrator.
Navigate to a user’s details page and select Authentication Methods
Click Add authentication method at the top (opt to switch to the “new experience” if it’s not available at first)
For method, select Temporary Access Pass, then Add
Specify options as desired. You’re able to delay the start time for up to 30 days if you so choose.
Click Add
A resulting page with the TAP will show that can be shared with the user along with a URL the user can use to configure their MFA options. Note the warning to remove old devices from the user’s account and take action as needed.
Any web sign-in will now have the option to use a Temporary Access Pass for the duration of the pass’s validity.
A TAP will no longer be valid once it either ages beyond its expiration OR is used with the One-time option enabled. A new TAP can be created whether or not one already exists or is valid. The new one will simply replace the old one. No two TAPs can exist for the same user at the same time, so be certain you want to overwrite any existing one that’s still valid.
