Microsoft released some documentation regarding Temporary Access Pass and it states Windows Autopilot is not supported.
On several social media platforms, I saw the excitement about a new Azure AD feature Temporary Access Pass. And if you’re following the news about Passwordless stuff, you have probably also seen this kind of messages and already know where I`m talking about.
But if you haven’t heard, this is how Microsoft described TAP in the official documentation;
TAP is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones. TAP also makes recovery easier when a user has lost or forgotten their strong authentication factor like a FIDO2 security key or Microsoft Authenticator app, but needs to sign in to register new strong authentication methods.
With TAP we can provide a new user a Temporary Acess Pass (instead of a password). With that TAP, the user is able to sign-in to the My Security info portal, to register strong authentication methods, like the Authenticator app or a FIDO2 security key. This sounds pretty cool! Before this, the user always needed a password, at least for the very first sign-in to the Windows device, Office 365 etc.
As I`m working a lot with Endpoint Management (Intune), I off-course wondered how can TAP already be used for onboarding a new user who is provided a new Windows 10 device, which is enrolled using Windows Autopilot?
I can say, Yes it does! And here you can read my first experience with TAP and Windows Autopilot enrollment.
My setup
I created a completely new user (unfortunately still with an auto-generated password). I assigned a CA policy that is targeted to all cloud apps and the grant control is set to require MFA and a compliant device. This should completely block access to Office and the Security info portal for this user, as the user doesn`t have a compliance device (yet).
As test device, I spinned up a Hyper-V VM which is running a Windows 20H2 build and registered to Windows Autopilot.
Next, I needed to enable Temporary Access Pass in the Azure Portal and create a TAP using the Azure preview portal.
Enable Temporary Access Pass
To enable Temporary Access Pass, we can use the ‘ normal’ Azure portal. But at this moment to assign the user TAP as authentication method, we need to use the preview portal.
- Sign-in to the (preview) Azure portal
- Open Azure Active Directory
- Browse to Security – Authentication methods
- Select Temporary Access Pass (Preview)
- Set Enable to Yes
- Set Target to All users or a group of (pilot) users
- click Save
- Search for your pilot user in Azure AD (in the preview portal)
- Browse to Authentication methods
- Click Switch to the new user authentication methods…. in the purple notification
- Click + Add authentication method
- Choose Temporary Access Pass from the drop-down list
- Set the Delayed start time (optional)
- Set the Activation duration
- Set One-time use to No
- Click Add
The just created Temporary Access Pass is created.
We are ready to enroll a Windows 10 device using the Temporary Access Pass!
Windows Autopilot enrollment with a TAP
I started my Windows 10 test device which is registered to Windows Autopilot and like usual entered a user account.
In the next screen, we usually need to provide our password. But in this case, I was asked for the Temporary Access Pass.
After providing the TAP, the Autopilot enrollment is started.
When the device setup part is finished, the Windows Sign-in screen is shown.
This is where it’s getting interesting. Can we also sign-in to the device by entering the TAP instead of the password?
To be sure that I can use the TAP a second time (the first time was to start the enrollment), I already set the One-time use to No when I created the TAP.
The answer is NO.
To workaround this, I enabled Web Sign-in with an Intune profile setting.
Select the Web Sign-in icon (Globe) on the right and choose Sign in.
This will pop-up the Web sign-in screen, which allows us to enter an user account.
And after that, it allows us to enter the TAP.
It allows us to sign in and resume the Autopilot enrollment.
The Autopilot enrollment continues with the Account setup part.
As the enrollment is finished, we`re asked to setup Windows Hello.
And I`m signed in with my new user account, without using a password!
When I want to sign in to Office.com, I`m asked to register more (security) information.
As this device is marked as compliant, it allows me to register my Security information.
When this is finished, I can also, for example, register my FIDO2 security keys as authentication method.
This was my first experience with Temporary Access Pass in combination with Windows Autopilot. Leave a comment or reach out to me on social media, to share your experience with Temporary Access Pass!
And if you’re interested in more passwordless related articles have a look at this overview.
Hi Peter, loving this so far, it’s made our auto pilot process better as we now don’t have to approach the user to type a password in for enrollment.
Is it possible to log in as that user after the enrolment using this method?
I tried using the web sign in, but it just attempts to sign in and lands back to the main windows 10 login screen?
Hi Chris,
I was able to sign in with the TAP using Web sign-in. After that, I registered a FIDO2 key and set up a (Windows Hello) PIN to sign in to the device.
We use Whiteglove deployment, so most of our deployment is done device based. However, we have some user based policy which requires sign in to initiate. We will be using TAP so the device is fully ready before user starts to use it. Thank you, great content.
Looks like Microsoft have now disabled this from working with Autopilot 🙁
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-temporary-access-pass
A Temporary Access Pass cannot be used with the Network Policy Server (NPS) extension and Active Directory Federation Services (AD FS) adapter, or during Windows Setup/Out-of-Box-Experience (OOBE) and AutoPilot.
Such a shame, looks like it worked well. Raised it in UserVoice – vote to bring it back!
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/43360992-enable-temporary-access-pass-use-during-autopilot
That link doesn’t work anymore (as user voice is no longer a thing). I have created a new post with MS Feedback Portal.
https://feedbackportal.microsoft.com/feedback/idea/b4bb1970-ccb6-ec11-a81c-00224853ab54
Really weird that they removed this. I guess it will come back, but maybe in some other form? I mean the Autopilot-enrollment process needs to be passwordless.
If I understand this announcement correct, it will be enabled soon for Autopilot https://techcommunity.microsoft.com/t5/azure-active-directory-identity/expansion-of-fido-standard-and-new-updates-for-microsoft/ba-p/3290633
Hi Peter,
Can you point me in the right direction on how to change the behavior on first registration within O365.
—
When I want to sign in to Office.com, I`m asked to register more (security) information.
—
If the user doesn’t have or want to registrate a phone (or use the mobile phone app) how can you change this ? Using phone with voice or SMS isn’t secure.
Thanks,
Remco
Hi Remco,
I’m not sure what you try to accomplish.
But it is triggered by an MFA requirement and/ or Self Service Password Reset (SSPR). SSPR can be found here https://portal.azure.com/#blade/Microsoft_AAD_IAM/PasswordResetMenuBlade/
You might also want to read this article about Combined security information registration https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-registration-mfa-sspr-combined
Regards,
Peter
Does using Autopilot work also in hybrid mode with wap/adfs using tap key or are there special setup limitations to consider?
hello,
thanks for this explication of tap. I try to use in autopilot/intune scenario but they doesn’t works.
It works after enrollement and intune deployement, but not just after the autopilot configuration.
I have not the MFA activated on my user, is it a prerequisite ?
Lets say you register and configure your account with a FIDO2 key on another computer, can I use that FIDO2 key To AutoPilot/OOBE another computer?
Found the answer in your next article 🙂
https://www.inthecloud247.com/authenticate-with-a-fido2-security-key-for-windows-autopilot-enrollment/
Hello,
“To workaround this, I enabled Web Sign-in with an Intune profile setting.”
That I did, but still no “Web Sign-In” on the second sign in.
After the device is enrolled, web sign-in is present as an option and works fine using TAP.