Passwordless Login to Entra-Joined Devices Using a Temporary Access Pass (TAP)

TL;DR

Run this command on an Entra-joined Windows device (elevated Command Prompt), reboot, enable TAP in the Entra admin center, issue a passcode, and your user is one globe-icon-click away from a passwordless sign-in:

reg add HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Authentication /v EnableWebSignIn /t REG_DWORD /d 1 /f

Handing a user a short-lived passcode that gets them straight to the Windows desktop — no password, no MFA prompt, no helpdesk back-and-forth — is one of the cleanest workflows Microsoft has shipped in years. The trick is pairing a Temporary Access Pass (TAP) from Microsoft Entra ID with the Web Sign-in credential provider in Windows.

This walkthrough covers the whole flow: flipping on Web Sign-in with a single registry command, enabling the TAP policy in Entra, issuing the passcode, and logging in on the device.

What You’ll Need

  • A Microsoft Entra joined device (this does not work on Hybrid Joined or AD-only machines)
  • Windows 11 22H2 with KB5030310 or later (Windows 10 1809+ works for Web Sign-in but Windows 11 is strongly preferred)
  • Microsoft Entra ID P1 license or higher for the user
  • One of these admin roles to issue the TAP: Global Administrator, Privileged Authentication Administrator, or Authentication Administrator
  • Authentication Policy Administrator role to configure the TAP policy itself

Step 1: Enable Web Sign-in on the Device

Web Sign-in is the credential provider that puts the little globe icon on the Windows lock screen. Without it, the device has nowhere to accept a TAP code at sign-in time.

Open an elevated Command Prompt (Run as administrator) on the target device and run:

reg add HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Authentication /v EnableWebSignIn /t REG_DWORD /d 1 /f

That’s it. What this does:

  • HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Authentication is the policy location Windows reads at sign-in
  • EnableWebSignIn is the value name that toggles the Web Sign-in credential provider
  • REG_DWORD /d 1 sets it to enabled (use 0 to disable later)
  • /f is force, no confirmation prompt

Reboot the device for the change to take effect. After it comes back up, you’ll see a new sign-in option on the lock screen — a small globe icon under “Sign-in options.”

Doing this at scale? The registry command is great for testing, recovery, or a single device. For fleet-wide deployment, push the equivalent setting through Intune: Devices → Configuration → Create → Settings catalog → Authentication → Enable Web Sign In → Enabled. Same outcome, but managed centrally and survives device wipes.

Step 2: Enable the Temporary Access Pass Policy in Entra

TAP is off by default in the tenant. Turn it on:

  1. Go to the Microsoft Entra admin center at entra.microsoft.com
  2. Navigate to Protection → Authentication methods → Policies
  3. Click Temporary Access Pass
  4. Switch Enable to On
  5. Under Target, choose All users or scope to a specific group (recommended for pilots)
  6. Click the Configure tab and set:
    • Minimum lifetime: 1 hour
    • Maximum lifetime: 8 hours (this is the hard ceiling Microsoft allows)
    • Default lifetime: 1 hour
    • One-time use: No if the device will reboot during setup, Yes for tighter security
    • Length: 8 characters minimum
  7. Click Save

Replication can take a few minutes. If a TAP prompt doesn’t appear right away, give it 5–10 minutes.

Step 3: Issue a TAP to the User

  1. In the Entra admin center, go to Identity → Users → All users
  2. Find and click the user
  3. Open Authentication methods in the left menu
  4. Click + Add authentication method
  5. From the dropdown, choose Temporary Access Pass
  6. Set the activation time, lifetime, and one-time use preference
  7. Click Add

Entra will display the passcode exactly once. Copy it now — once you close the window, it’s gone. Hand it to the user through a secure channel (in person, a phone call, or a verified secure messaging tool — not plain email).

Step 4: Sign In to the Device With the TAP

On the Windows lock screen:

  1. Click Sign-in options below the password field
  2. Click the globe icon (Web Sign-in)
  3. Click Sign in
  4. Enter the user’s UPN (e.g., jane.doe@contoso.com) and click Next
  5. When prompted, enter the Temporary Access Pass code
  6. Windows authenticates against Entra and signs the user in to the desktop

No password. No MFA prompt. The user is in.

Gotchas Worth Knowing

  • Entra Joined only. Web Sign-in + TAP doesn’t work on Hybrid Joined or domain-joined devices. On those, the user has to authenticate with a password, smart card, or FIDO2 key first, and TAP can only be used to register Windows Hello afterward.
  • Internet required. Web Sign-in needs an active connection. Offline sign-in falls back to cached credentials.
  • Web Sign-in becomes the default credential provider after it’s used, which can confuse users on subsequent sign-ins. If that’s an issue, push an Intune policy to set Password (or Windows Hello) as the default credential provider: Settings catalog → Administrative Templates → System → Logon → Assign a default credential provider.
  • Conditional Access still applies. If your CA policies require compliant devices or specific locations, TAP sign-in respects those rules.
  • Federated tenants: if FederatedIdpMfaBehavior is set to enforceMfaByFederatedIdp, the user gets redirected to the federated IdP instead of seeing a TAP prompt. Set it to acceptIfMfaDoneByFederatedIdp if you want TAP to be accepted.