Close Menu
Peter Klapwijk – In The Cloud 24-7Peter Klapwijk – In The Cloud 24-7
    Facebook X (Twitter) Instagram
    Peter Klapwijk – In The Cloud 24-7Peter Klapwijk – In The Cloud 24-7
    • Home
    • Intune
    • Windows
      • Modern Workplace
    • macOS
    • Android
    • iOS
    • Automation
      • Logic Apps
      • Intune Monitoring
      • GitHub
    • Security
      • Passwordless
      • Security
    • Speaking
    • About me
    Peter Klapwijk – In The Cloud 24-7Peter Klapwijk – In The Cloud 24-7
    Home»Security»My first experience with Temporary Access Pass during Windows Autopilot enrollment
    Security

    My first experience with Temporary Access Pass during Windows Autopilot enrollment

    Peter KlapwijkBy Peter KlapwijkFebruary 26, 2021Updated:January 21, 2022155 Mins Read

    Microsoft released some documentation regarding Temporary Access Pass and it states Windows Autopilot is not supported.

    On several social media platforms, I saw the excitement about a new Azure AD feature Temporary Access Pass. And if you’re following the news about Passwordless stuff, you have probably also seen this kind of messages and already know where I`m talking about.

    But if you haven’t heard, this is how Microsoft described TAP in the official documentation;

    TAP is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones. TAP also makes recovery easier when a user has lost or forgotten their strong authentication factor like a FIDO2 security key or Microsoft Authenticator app, but needs to sign in to register new strong authentication methods.

    With TAP we can provide a new user a Temporary Acess Pass (instead of a password). With that TAP, the user is able to sign-in to the My Security info portal, to register strong authentication methods, like the Authenticator app or a FIDO2 security key. This sounds pretty cool! Before this, the user always needed a password, at least for the very first sign-in to the Windows device, Office 365 etc.

    As I`m working a lot with Endpoint Management (Intune), I off-course wondered how can TAP already be used for onboarding a new user who is provided a new Windows 10 device, which is enrolled using Windows Autopilot?

    I can say, Yes it does! And here you can read my first experience with TAP and Windows Autopilot enrollment.

    My setup

    I created a completely new user (unfortunately still with an auto-generated password). I assigned a CA policy that is targeted to all cloud apps and the grant control is set to require MFA and a compliant device. This should completely block access to Office and the Security info portal for this user, as the user doesn`t have a compliance device (yet).

    As test device, I spinned up a Hyper-V VM which is running a Windows 20H2 build and registered to Windows Autopilot.

    Next, I needed to enable Temporary Access Pass in the Azure Portal and create a TAP using the Azure preview portal.

    Enable Temporary Access Pass

    To enable Temporary Access Pass, we can use the ‘ normal’ Azure portal. But at this moment to assign the user TAP as authentication method, we need to use the preview portal.

    • Sign-in to the (preview) Azure portal
    • Open Azure Active Directory
    • Browse to Security – Authentication methods
    • Select Temporary Access Pass (Preview)
    • Set Enable to Yes
    • Set Target to All users or a group of (pilot) users
    • click Save
    • Search for your pilot user in Azure AD (in the preview portal)
    • Browse to Authentication methods
    • Click Switch to the new user authentication methods…. in the purple notification
    • Click + Add authentication method
    • Choose Temporary Access Pass from the drop-down list
    • Set the Delayed start time (optional)
    • Set the Activation duration
    • Set One-time use to No
    • Click Add

    The just created Temporary Access Pass is created.

    We are ready to enroll a Windows 10 device using the Temporary Access Pass!

    Windows Autopilot enrollment with a TAP

    I started my Windows 10 test device which is registered to Windows Autopilot and like usual entered a user account.

    In the next screen, we usually need to provide our password. But in this case, I was asked for the Temporary Access Pass.

    After providing the TAP, the Autopilot enrollment is started.
    When the device setup part is finished, the Windows Sign-in screen is shown.

    This is where it’s getting interesting. Can we also sign-in to the device by entering the TAP instead of the password?
    To be sure that I can use the TAP a second time (the first time was to start the enrollment), I already set the One-time use to No when I created the TAP.

    The answer is NO.

    To workaround this, I enabled Web Sign-in with an Intune profile setting.

    Select the Web Sign-in icon (Globe) on the right and choose Sign in.

    This will pop-up the Web sign-in screen, which allows us to enter an user account.

    And after that, it allows us to enter the TAP.

    It allows us to sign in and resume the Autopilot enrollment.

    The Autopilot enrollment continues with the Account setup part.

    As the enrollment is finished, we`re asked to setup Windows Hello.

    And I`m signed in with my new user account, without using a password!

    When I want to sign in to Office.com, I`m asked to register more (security) information.

    As this device is marked as compliant, it allows me to register my Security information.

    <br>

    <br>

    When this is finished, I can also, for example, register my FIDO2 security keys as authentication method.

    This was my first experience with Temporary Access Pass in combination with Windows Autopilot. Leave a comment or reach out to me on social media, to share your experience with Temporary Access Pass!

    And if you’re interested in more passwordless related articles have a look at this overview.

    FIDO2 Intune MEM Microsoft Endpoint Manager Passwordless Security Windows Windows 10
    Share. Facebook Twitter LinkedIn Email WhatsApp
    Peter Klapwijk
    • Website
    • X (Twitter)
    • LinkedIn

    Peter is a Security (Intune) MVP since 2020 and is working as Modern Workplace Engineer at Wortell in The Netherlands. He has more than 15 years of experience in IT, with a strong focus on Microsoft technologies like Microsoft Intune, Windows, and (low-code) automation.

    Related Posts

    Authenticate with a FIDO2 security key for Windows Autopilot enrollment

    February 27, 2021

    Setup a Logic Apps Custom Connector to connect to Microsoft Graph

    February 16, 2021

    Issues with OneDrive sync client – Preview – UPDATED

    November 18, 2016
    View 15 Comments

    15 Comments

    1. Chris Downs on March 1, 2021 15:36

      Hi Peter, loving this so far, it’s made our auto pilot process better as we now don’t have to approach the user to type a password in for enrollment.

      Is it possible to log in as that user after the enrolment using this method?

      I tried using the web sign in, but it just attempts to sign in and lands back to the main windows 10 login screen?

      Reply
      • Peter Klapwijk on March 8, 2021 15:58

        Hi Chris,

        I was able to sign in with the TAP using Web sign-in. After that, I registered a FIDO2 key and set up a (Windows Hello) PIN to sign in to the device.

        Reply
    2. Imrinder Randhawa on March 3, 2021 19:06

      We use Whiteglove deployment, so most of our deployment is done device based. However, we have some user based policy which requires sign in to initiate. We will be using TAP so the device is fully ready before user starts to use it. Thank you, great content.

      Reply
    3. Dave Hall on March 31, 2021 21:41

      Looks like Microsoft have now disabled this from working with Autopilot 🙁

      https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-temporary-access-pass

      A Temporary Access Pass cannot be used with the Network Policy Server (NPS) extension and Active Directory Federation Services (AD FS) adapter, or during Windows Setup/Out-of-Box-Experience (OOBE) and AutoPilot.

      Reply
      • Nathan on May 6, 2021 05:36

        Such a shame, looks like it worked well. Raised it in UserVoice – vote to bring it back!
        https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/43360992-enable-temporary-access-pass-use-during-autopilot

        Reply
        • Liam Evans on April 8, 2022 01:44

          That link doesn’t work anymore (as user voice is no longer a thing). I have created a new post with MS Feedback Portal.

          https://feedbackportal.microsoft.com/feedback/idea/b4bb1970-ccb6-ec11-a81c-00224853ab54

          Reply
      • Forza Horizon on July 10, 2021 14:42

        Really weird that they removed this. I guess it will come back, but maybe in some other form? I mean the Autopilot-enrollment process needs to be passwordless.

        Reply
        • Peter Klapwijk on May 5, 2022 16:04

          If I understand this announcement correct, it will be enabled soon for Autopilot https://techcommunity.microsoft.com/t5/azure-active-directory-identity/expansion-of-fido-standard-and-new-updates-for-microsoft/ba-p/3290633

          Reply
    4. Remco de Kievit on June 15, 2021 11:44

      Hi Peter,

      Can you point me in the right direction on how to change the behavior on first registration within O365.

      —
      When I want to sign in to Office.com, I`m asked to register more (security) information.
      —

      If the user doesn’t have or want to registrate a phone (or use the mobile phone app) how can you change this ? Using phone with voice or SMS isn’t secure.

      Thanks,

      Remco

      Reply
      • Peter Klapwijk on June 15, 2021 20:48

        Hi Remco,

        I’m not sure what you try to accomplish.
        But it is triggered by an MFA requirement and/ or Self Service Password Reset (SSPR). SSPR can be found here https://portal.azure.com/#blade/Microsoft_AAD_IAM/PasswordResetMenuBlade/

        You might also want to read this article about Combined security information registration https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-registration-mfa-sspr-combined

        Regards,

        Peter

        Reply
    5. Chris on June 24, 2021 22:27

      Does using Autopilot work also in hybrid mode with wap/adfs using tap key or are there special setup limitations to consider?

      Reply
    6. david on December 8, 2021 14:47

      hello,

      thanks for this explication of tap. I try to use in autopilot/intune scenario but they doesn’t works.

      It works after enrollement and intune deployement, but not just after the autopilot configuration.

      I have not the MFA activated on my user, is it a prerequisite ?

      Reply
    7. MikaelJones on March 7, 2022 18:37

      Lets say you register and configure your account with a FIDO2 key on another computer, can I use that FIDO2 key To AutoPilot/OOBE another computer?

      Reply
      • MikaelJones on March 7, 2022 22:55

        Found the answer in your next article 🙂
        https://inthecloud247.com/authenticate-with-a-fido2-security-key-for-windows-autopilot-enrollment/

        Reply
    8. S Kremic on February 22, 2023 14:37

      Hello,

      “To workaround this, I enabled Web Sign-in with an Intune profile setting.”

      That I did, but still no “Web Sign-In” on the second sign in.

      After the device is enrolled, web sign-in is present as an option and works fine using TAP.

      Reply
    Leave A Reply Cancel Reply

    Peter Klapwijk

    Hi! Welcome to my blog post.
    I hope you enjoy reading my articles.

    Hit the About Me button to get in contact with me or leave a comment.

    Awards
    Sponsor
    Latest Posts

    Create deployment ring groups for Microsoft Intune

    June 27, 2025

    Update Windows Defender during Windows Autopilot enrollments

    May 16, 2025

    Hide the “Turn on an ad privacy feature” pop-up in Chrome with Microsoft Intune

    April 19, 2025

    How to set Google as default search provider with Microsoft Intune

    April 18, 2025
    follow me
    • Twitter 4.8K
    • LinkedIn 6.1K
    • YouTube
    • Bluesky 1.5K
    Tags
    Administrative Templates Android Automation Autopilot Azure Azure AD Browser Conditional Access Edge EMS Exchange Online Feitian FIDO2 Flow Google Chrome Graph Graph API Identity Management Intune Intune Monitoring iOS KIOSK Logic Apps macOS MEM MEMMonitoring Microsoft 365 Microsoft Edge Microsoft Endpoint Manager Modern Workplace Office 365 OneDrive for Business Outlook Passwordless PowerApps Power Automate Security SharePoint Online Teams Windows Windows 10 Windows10 Windows 11 Windows Autopilot Windows Update
    Copy right

    This information is provided “AS IS” with no warranties, confers no rights and is not supported by the authors, or In The Cloud 24-7.

     

    Copyright © 2025 by In The Cloud 24-7/ Peter Klapwijk. All rights reserved, No part of the information on this web site may be reproduced or posted in any form or by any means without the prior written permission of the publisher.

    Shorthand; Don’t pass off my work as yours, it’s not nice.

    Recent Comments
    • Parth Savjadiya on Using Visual Studio with Microsoft Endpoint Privilege Management, some notes
    • Chris Johnson on Assign Deny Local Log On user right to an (Azure) AD group by using Microsoft Intune
    • Northernsky on Automatically wipe a Windows 10 device after a number of authentication failures
    • Henrik on Intune Driver update for Windows – Get applicable devices
    • Adam on Get notified on expiring Azure App Registration client secrets
    most popular

    Application installation issues; Download pending

    October 1, 2024

    Restrict which users can logon into a Windows 10 device with Microsoft Intune

    April 11, 2020

    How to change the Windows 11 language with Intune

    November 11, 2022

    Update Microsoft Edge during Windows Autopilot enrollments

    July 9, 2024
    Peter Klapwijk – In The Cloud 24-7
    X (Twitter) LinkedIn YouTube RSS Bluesky
    © 2025 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.

    Manage Cookie Consent
    To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
    Functional Always active
    The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
    Preferences
    The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
    Statistics
    The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
    Marketing
    The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
    Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
    View preferences
    {title} {title} {title}