{"id":1938,"date":"2026-05-18T21:44:46","date_gmt":"2026-05-18T21:44:46","guid":{"rendered":"https:\/\/www.ultrexstaff.com\/?p=1938"},"modified":"2026-05-18T21:44:46","modified_gmt":"2026-05-18T21:44:46","slug":"using-web-sign-in-with-tap","status":"publish","type":"post","link":"https:\/\/www.ultrexstaff.com\/?p=1938","title":{"rendered":"Using Web sign in with TAP"},"content":{"rendered":"\n

Passwordless Login to Entra-Joined Devices Using a Temporary Access Pass (TAP)<\/h1>\n\n\n\n

TL;DR<\/h2>\n\n\n\n

Run this command on an Entra-joined Windows device (elevated Command Prompt), reboot, enable TAP in the Entra admin center, issue a passcode, and your user is one globe-icon-click away from a passwordless sign-in:<\/p>\n\n\n\n

reg add HKLM\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\Authentication \/v EnableWebSignIn \/t REG_DWORD \/d 1 \/f<\/p>\n\n\n\n

\n\n\n\n

Handing a user a short-lived passcode that gets them straight to the Windows desktop \u2014 no password, no MFA prompt, no helpdesk back-and-forth \u2014 is one of the cleanest workflows Microsoft has shipped in years. The trick is pairing a Temporary Access Pass (TAP)<\/strong> from Microsoft Entra ID with the Web Sign-in<\/strong> credential provider in Windows.<\/p>\n\n\n\n

This walkthrough covers the whole flow: flipping on Web Sign-in with a single registry command, enabling the TAP policy in Entra, issuing the passcode, and logging in on the device.<\/p>\n\n\n\n

\n\n\n\n

What You’ll Need<\/h2>\n\n\n\n
    \n
  • A Microsoft Entra joined<\/strong> device (this does not<\/em> work on Hybrid Joined or AD-only machines)<\/li>\n\n\n\n
  • Windows 11 22H2 with KB5030310 or later<\/strong> (Windows 10 1809+ works for Web Sign-in but Windows 11 is strongly preferred)<\/li>\n\n\n\n
  • Microsoft Entra ID P1<\/strong> license or higher for the user<\/li>\n\n\n\n
  • One of these admin roles to issue the TAP: Global Administrator<\/strong>, Privileged Authentication Administrator<\/strong>, or Authentication Administrator<\/strong><\/li>\n\n\n\n
  • Authentication Policy Administrator<\/strong> role to configure the TAP policy itself<\/li>\n<\/ul>\n\n\n\n
    \n\n\n\n

    Step 1: Enable Web Sign-in on the Device<\/h2>\n\n\n\n

    Web Sign-in is the credential provider that puts the little globe icon on the Windows lock screen. Without it, the device has nowhere to accept a TAP code at sign-in time.<\/p>\n\n\n\n

    Open an elevated Command Prompt<\/strong> (Run as administrator) on the target device and run:<\/p>\n\n\n\n

    reg add HKLM\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\Authentication \/v EnableWebSignIn \/t REG_DWORD \/d 1 \/f<\/p>\n\n\n\n

    That’s it. What this does:<\/p>\n\n\n\n

      \n
    • HKLM\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\Authentication<\/strong> is the policy location Windows reads at sign-in<\/li>\n\n\n\n
    • EnableWebSignIn<\/strong> is the value name that toggles the Web Sign-in credential provider<\/li>\n\n\n\n
    • REG_DWORD \/d 1<\/strong> sets it to enabled (use 0 to disable later)<\/li>\n\n\n\n
    • \/f<\/strong> is force, no confirmation prompt<\/li>\n<\/ul>\n\n\n\n

      Reboot the device<\/strong> for the change to take effect. After it comes back up, you’ll see a new sign-in option on the lock screen \u2014 a small globe icon under “Sign-in options.”<\/p>\n\n\n\n

      \n

      Doing this at scale?<\/strong> The registry command is great for testing, recovery, or a single device. For fleet-wide deployment, push the equivalent setting through Intune: Devices \u2192 Configuration \u2192 Create \u2192 Settings catalog \u2192 Authentication \u2192 Enable Web Sign In \u2192 Enabled<\/strong>. Same outcome, but managed centrally and survives device wipes.<\/p>\n<\/blockquote>\n\n\n\n

      \n\n\n\n

      Step 2: Enable the Temporary Access Pass Policy in Entra<\/h2>\n\n\n\n

      TAP is off by default in the tenant. Turn it on:<\/p>\n\n\n\n

        \n
      1. Go to the Microsoft Entra admin center<\/strong> at entra.microsoft.com<\/li>\n\n\n\n
      2. Navigate to Protection \u2192 Authentication methods \u2192 Policies<\/strong><\/li>\n\n\n\n
      3. Click Temporary Access Pass<\/strong><\/li>\n\n\n\n
      4. Switch Enable<\/strong> to On<\/strong><\/li>\n\n\n\n
      5. Under Target<\/strong>, choose All users<\/strong> or scope to a specific group (recommended for pilots)<\/li>\n\n\n\n
      6. Click the Configure<\/strong> tab and set:\n
          \n
        • Minimum lifetime<\/strong>: 1 hour<\/li>\n\n\n\n
        • Maximum lifetime<\/strong>: 8 hours (this is the hard ceiling Microsoft allows)<\/li>\n\n\n\n
        • Default lifetime<\/strong>: 1 hour<\/li>\n\n\n\n
        • One-time use<\/strong>: No<\/strong> if the device will reboot during setup, Yes<\/strong> for tighter security<\/li>\n\n\n\n
        • Length<\/strong>: 8 characters minimum<\/li>\n<\/ul>\n<\/li>\n\n\n\n
        • Click Save<\/strong><\/li>\n<\/ol>\n\n\n\n

          Replication can take a few minutes. If a TAP prompt doesn’t appear right away, give it 5\u201310 minutes.<\/p>\n\n\n\n

          \n\n\n\n

          Step 3: Issue a TAP to the User<\/h2>\n\n\n\n
            \n
          1. In the Entra admin center, go to Identity \u2192 Users \u2192 All users<\/strong><\/li>\n\n\n\n
          2. Find and click the user<\/li>\n\n\n\n
          3. Open Authentication methods<\/strong> in the left menu<\/li>\n\n\n\n
          4. Click + Add authentication method<\/strong><\/li>\n\n\n\n
          5. From the dropdown, choose Temporary Access Pass<\/strong><\/li>\n\n\n\n
          6. Set the activation time<\/strong>, lifetime<\/strong>, and one-time use<\/strong> preference<\/li>\n\n\n\n
          7. Click Add<\/strong><\/li>\n<\/ol>\n\n\n\n

            Entra will display the passcode exactly once<\/strong>. Copy it now \u2014 once you close the window, it’s gone. Hand it to the user through a secure channel (in person, a phone call, or a verified secure messaging tool \u2014 not plain email).<\/p>\n\n\n\n

            \n\n\n\n

            Step 4: Sign In to the Device With the TAP<\/h2>\n\n\n\n

            On the Windows lock screen:<\/p>\n\n\n\n

              \n
            1. Click Sign-in options<\/strong> below the password field<\/li>\n\n\n\n
            2. Click the globe icon<\/strong> (Web Sign-in)<\/li>\n\n\n\n
            3. Click Sign in<\/strong><\/li>\n\n\n\n
            4. Enter the user’s UPN (e.g., jane.doe@contoso.com) and click Next<\/strong><\/li>\n\n\n\n
            5. When prompted, enter the Temporary Access Pass<\/strong> code<\/li>\n\n\n\n
            6. Windows authenticates against Entra and signs the user in to the desktop<\/li>\n<\/ol>\n\n\n\n

              No password. No MFA prompt. The user is in.<\/p>\n\n\n\n

              \n\n\n\n

              Gotchas Worth Knowing<\/h2>\n\n\n\n
                \n
              • Entra Joined only.<\/strong> Web Sign-in + TAP doesn’t work on Hybrid Joined or domain-joined devices. On those, the user has to authenticate with a password, smart card, or FIDO2 key first, and TAP can only be used to register Windows Hello afterward.<\/li>\n\n\n\n
              • Internet required.<\/strong> Web Sign-in needs an active connection. Offline sign-in falls back to cached credentials.<\/li>\n\n\n\n
              • Web Sign-in becomes the default credential provider<\/strong> after it’s used, which can confuse users on subsequent sign-ins. If that’s an issue, push an Intune policy to set Password<\/strong> (or Windows Hello) as the default credential provider: Settings catalog \u2192 Administrative Templates \u2192 System \u2192 Logon \u2192 Assign a default credential provider<\/strong>.<\/li>\n\n\n\n
              • Conditional Access still applies.<\/strong> If your CA policies require compliant devices or specific locations, TAP sign-in respects those rules.<\/li>\n\n\n\n
              • Federated tenants:<\/strong> if FederatedIdpMfaBehavior is set to enforceMfaByFederatedIdp, the user gets redirected to the federated IdP instead of seeing a TAP prompt. Set it to acceptIfMfaDoneByFederatedIdp if you want TAP to be accepted.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"

                Passwordless Login to Entra-Joined Devices Using a Temporary Access Pass (TAP) TL;DR Run this command on an Entra-joined Windows device (elevated Command Prompt), reboot, enable TAP in the Entra admin center, issue a passcode, and your user is one globe-icon-click away from a passwordless sign-in: reg add HKLM\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\Authentication \/v EnableWebSignIn \/t REG_DWORD \/d 1 \/f […]<\/p>\n","protected":false},"author":8,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1938","post","type-post","status-publish","format-standard","hentry","category-uncategorized","post-preview"],"_links":{"self":[{"href":"https:\/\/www.ultrexstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/1938","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ultrexstaff.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ultrexstaff.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ultrexstaff.com\/index.php?rest_route=\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ultrexstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1938"}],"version-history":[{"count":1,"href":"https:\/\/www.ultrexstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/1938\/revisions"}],"predecessor-version":[{"id":1939,"href":"https:\/\/www.ultrexstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/1938\/revisions\/1939"}],"wp:attachment":[{"href":"https:\/\/www.ultrexstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1938"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ultrexstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1938"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ultrexstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1938"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}