Temporary Access Pass in Microsoft Entra: Configuration and Usage
Last Updated on 19. April 2026
A Temporary Access Pass (TAP) is a time-limited passcode that can be configured for single or multiple use. The Temporary Access Pass (TAP) allows the user to securely sign in to the Microsoft Cloud within a defined time period to set up additional authentication methods. These secure authentication methods include passwordless methods such as FIDO2 security keys or the Microsoft Authenticator App. The limited time period for access authorisations makes the Temporary Access Pass (TAP) an indispensable tool for security guidelines and compliance requirements.
This blog post explains how to activate, configure, and use the Temporary Access Pass (TAP).
Prerequisites and Licensing
Licenses
The following licence is required for the Temporary Access Pass (TAP) feature in Microsoft Entra ID:
- Microsoft Entra ID P1 or higher
The licence is part of Microsoft 365 Business Premium and many more.
Roles
The following roles are defined for configuration, operation, and maintenance based on the principle of least privilege:
| Role | Permission |
| Authentication Policy Administrator | can configure the Temporary Access Pass policy, including lifetime, but cannot create, view, or delete access passes for users |
| Privileged Authentication Administrator | can create, view, and delete a Temporary Access Pass for administrators and members, except for themselves |
| Authentication Administrator | can create, view, and delete a Temporary Access Pass for members, except for themselves |
Enable Temporary Access Pass as an Authentication Method
Before users can sign in using a Temporary Access Pass, the authentication method Temporary Access Pass must be enabled. During this configuration, you define which users or groups are allowed to use this method.
Navigate to the Microsoft Entra Admin Center (https://entra.microsoft.com) > Entra ID > Authentication methods > Policies > Temporary Access Pass.
Enable Temporary Access Pass and select users or groups who are authorised to use this sign-in method.
Optionally, adjust the default settings of the Temporary Access Pass under Configure.
| Setting | Default | Values | Comments |
| Minimum lifetime | 1 hour | 10 – 43.200 minutes (30 days) | Minimum number of minutes for which the Temporary Access Pass is valid |
| Maximum lifetime | 8 hours | 10 – 43.200 minutes (30 days) | Maximum number of minutes for which the Temporary Access Pass is valid |
| Default lifetime | 1 hour | 10 – 43.200 minutes (30 days) | |
| One-time use | False | True / Fase | If the policy is set to No, the Temporary Access Pass can be used either once or multiple times during its validity period. If the policy is set to Yes, the Temporary Access Pass can only be used once during its validity period. |
| Length Passcode | 8 characters | 8-48 characters |
Hint
Set the One-time value to No so that each time a Temporary Access Pass is created, it can be individually defined whether it can be used once or several times during the validity period and thus better fulfil the security guidelines and compliance requirements.
Create Temporary Access Pass
After the policy has been enabled, it is possible to create a Temporary Access Pass for an authorized user in Microsoft Entra ID.
Select the users in the Microsoft Entra admin center (https://entra.microsoft.com) under Entra ID > Users > All users.
Authentication methods > Add authentication method > Temporary Access Pass
The delayed start time, activation duration and single or multiple use can be customised to your own requirements.
To finish, click on Add.
The details of the Temporary Access Pass are now displayed.
The passcode is shown only once and cannot be retrieved again after closing the window.
It should therefore be written down.
The user can now sign-in with the created passcode.
Use Temporary Access Pass
Usually, a user registers authentication methods during the first signin. The Temporary Access Pass is therefore perfect for setting up or updating multifactor-, passwordless-, or phishing-resistant authentications without having to perform additional security verificatoins.
Registering authentication methods
The registration of authentication methods is done at https://aka.ms/mysecurityinfo. Users can also update existing authentication methods here.
If a user account has activated a Temporary Access Pass, the user automatically uses this authentication method when sign-in.
After successfull sign-in, the user can now register or update passwordless authentication methods such as FIDO2 security keys or Microsoft Authenticator App.
Users who update their authentication methods due to lost credentials or devices should ensure that the old authentication methods are removed here.
Good to know
Registering a security key (FIDO2)
If a one-time Temporary Access Pass is used to register a security key (FIDO2), the user must complete the registration within 10 minutes of signing in with the one-time Passcode. This restriction does not apply to a Temporary Access Pass created for multiple uses.
Fresh content, explained with practical relevance. Stay up to date via LinkedIn and Bluesky.
No marketing. No noise. Just content.
If this post was helpful, a coffee brings back the rich aroma behind the writing.
