Temporary Access Pass (TAP) in Microsoft 365

Enable TAP in Entra ID first:

  1. Entra admin center – Protection – Authentication methods
  2. Click Temporary Access Pass
  3. Set to Enabled, configure who can use it, set lifetime (default 1 hour, max 8 hours or 30 days for one-time use)
  4. Save

Create a TAP for a user:

  1. Entra admin center – Users – select the user ( https://entra.microsoft.com/ )
  2. Authentication methods
  3. Click Add authentication method
  4. Choose Temporary Access Pass
  5. Set duration and whether it’s one-time use
  6. Copy the code – you only see it once

How the user uses it:

  • Go to outlook.com or sign in wherever you need to
  • When prompted for a password, click “Sign-in options” – then “Temporary Access Pass”
  • Enter the TAP code
  • Once in, they set up their MFA method (Authenticator app, etc.)

Common use cases at an MSP:

  • New employee first login
  • User locked out / lost MFA device
  • Migrating a user to a new device and need them to register fresh

Key notes:

  • TAP bypasses MFA temporarily – treat it like a password
  • One-time use TAPs expire after first login
  • Reusable TAPs expire based on the time window you set