In this post I will show you how we can use the Temporary Access Pass (TAP) with Windows Autopilot. TAP allows us to use the temporary passcode which can be used during Windows Autopilot phase without entering the password.

What is Temporary Access Pass (TAP)

Temporary Access Pass is passcode which can be generated through Microsoft Entra ID setting to login to the device for specific number of hours only. We can control whether this passcode can be used for one time user or can be used multiple times within the active period of TAP.

Temporary Access Pass can be useful in multiple scenarios:

  • For onboarding new users with Windows Autopilot: While onboarding the new user in the organization, we can create Temporary Access Pass for the user which can be used as authentication method while initiating Windows Autopilot build.
  • When user has forgotten or lost strong authentication factor devices: Such as FIDO2 or Microsoft Authenticator app which are considered as strong authentication factor. If these devices are forgotten by user, they can’t register new device. If they request for temporary access pass, they will be granted access for couple of hours which can help them to not only register the device but also can set Microsoft Authenticator, FIDO2 and Windows Hello for Business.

Pre-requisites for enabling Temporary Access Pass

There are certain requirements to be met before using this feature.

Login to Microsoft Entra admin center and navigate to Protection > Authentication methods.

Click on Temporary Access Pass which currently in Disabled state.

Authentication  methods Temporary Access Pass

Enable the setting. You may target it to all users or selected groups.

Temporary Access Pass settings

Click on Configure tab, this will provide the additional settings where we can define the settings related to passcode, following are the default value:

Minimum lifetime: 1 hour (
Maximum lifetime: 8 hours
Default lifetime: 1 hour
One-time: No
Length: 8 characters

Configure Temporary Access Pass settings

You may change the values according to your organizations need. Save the settings.

Create Temporary Access Pass for user

Navigate to one of the user under Identity > All users. Select the user and go to Authentication methods.

Click on Add authentication method and choose Temporary Access Pass from the drop-down menu. We have option to go with One-time use as well. With this setting, we are going to get temporary access pass for 1 hour. Click on Add.

Add authentication method for Temporary Access Pass

Temporary Access Pass details will be generated for you. Make a note of the passcode and supply it to the user.

Temporary Access Pass details

Configuration required for Autopilot

Though configuration is done for Temporary Access Pass. At this point, we are good to initiate the Windows Autopilot process which will be sufficient to start the process and will be able to complete two phases that is Device Preparation and Device Setup. After that you will be presented with user login page waiting to enter the credentials to initiate Account Setup phase. Login won’t work with temporary access password at this stage.

We need to create a policy on Intune to enable the Web sign-in. This is a new experience for the user, if enabled user will be able to login to the device using Web sign-in credential provider which will be visible on Windows lock screen. Scroll down to see the last picture showing the Web sign-in icon.

Web sign-in policy is part of settings catalog. Navigate to Microsoft Intune admin center and go to Devices > Configuration Profiles. Create new policy with Profile type selected as Settings catalog.

Search for Enable Web Sign in and add the setting showing Enabled. Web Sign-in will be enabled for signing in to Windows.

Settings catalog - Web sign-in

Target this policy to Autopilot device. We are ready to initiate the process.

Windows Autopilot process with TAP

Once we start the device, Out-of-box-experience (OOBE) setup phase will launch. Provide the user name and click Next.

Autopilot login

Rather than asking the password, you will see Enter Temporary Access Pass, enter the previously gather temporary access pass which we generated.

Enter Temporary Access Pass

Autopilot process will initiate and wait for Device Preparation and Device Setup phase to complete.

Once completed, you will be represented with login page for the user. Don’t enter the passcode now as it won’t work. Click on Sign-in options and you will be able to see third option enabled which is Web Sign-in option. Select this option and click on Sign in. This option is available because of settings catalog we targeted to the device.

select Web sign-in option

Next page will ask you to enter the Temporary Access Pass and the process gets completed.

Conclusion

Temporary Access Pass can be easily used for Windows Autopilot for onboarding new device. We can use this service in absence of forgotten strong authentication factor such as FIDO2 or Microsoft Authenticator App. This is also useful if we have lost these the device. Once we have Temporary Access Pass, we can register the device and can re-configure other authentication methods by navigating to https://aka.ms/mysecurityinfo.

Enter Temporary Access Pass

Important Links

https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass

https://learn.microsoft.com/en-us/windows/security/identity-protection/web-sign-in/?tabs=intune