Microsoft Entra ID Adds TAP Support for Internal Guests
Microsoft Entra ID now supports Temporary Access Passes (TAPs) for internal guest users.
Published: Jan 13, 2025
Key Takeaways:
- Microsoft Entra ID now supports TAPs for internal guest users.
- This feature offers a time-limited passcode to assist with passwordless onboarding and account recovery.
- TAPs can only be used for internal guests.
Microsoft Entra ID has introduced support for issuing Temporary Access Passes (TAPs) for internal guest users. These passcodes are time-limited and help onboard and recover accounts without relying on traditional passwords.
What is a Temporary Access Pass (TAP)?
A Temporary Access Pass (TAP) in Microsoft Entra ID is a time-limited passcode designed to help users onboard passwordless authentication methods, such as FIDO2 security keys or the Microsoft Authenticator App. It also enables users to regain account access without relying on a password. Administrators can configure TAP policies to define the passcode’s duration and usage limits and assign it to specific users or groups.
Microsoft has outlined several key benefits of this new feature for Entra ID customers. This capability allows internal guests to configure and recover their accounts with time-bound TAPs easily. It offers a secure temporary access method to minimize the risks associated with lost or forgotten passwords. Administrators can manage TAPs for internal guests to ensure that necessary access is provided without compromising security.
How to get started?
To get started, administrators will need to enable the Temporary Access Pass (TAP) policy in the Microsoft Entra admin center. Next, they will generate TAPs for internal guests using the Entra admin center or Microsoft Graph. Finally, IT admins will allow internal guests to use these TAPs for seamless onboarding and account recovery.
“You can add a TAP as a sign-in method to an internal guest, but not other types of guests. An internal guest has user object UserType set to Guest. They have authentication methods registered in Microsoft Entra ID,” Microsoft explained.
Keep in mind that enterprise admins who try to add a TAP to an external guest account in the Microsoft Entra admin center or Microsoft Graph will encounter the following error message: “Temporary Access Pass cannot be added to an external guest user.”
Overall, this new feature significantly enhances the flexibility and security of account management for Entra ID customers. We invite you to check out this support page to learn more about how to configure a Temporary Access Pass to register passwordless authentication methods.