Why might users receive "To sign in, you'll need a new Temporary Access Pass..." error on web sign-in attempt if TAP is disabled for the domain?

Jason Bradford 6 Reputation points
2022-03-28T22:02:47.067+00:00

Our AAD (M365) is federated to Google as the SAML IdP. This was supporting users logging into their Win 10/11 laptops with Web Sign-in using their Google credentials. Recently, users are getting an error as soon as they enter their UPN "To sign in, you'll need a new Temporary Access Pass. Contact your admin to get one." which is pretty odd since TAP is disabled for our domain. What changed and how do I get web sign-in working again?

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,657 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
8,218 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,559 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. blastingbits 6 Reputation points
    2022-07-12T14:06:04.71+00:00

    I installed a new motherboard in a system and now getting this error on the users attempt to login to the system even though TAP is disabled on O365. The only way I can fix this issue is disconnecting and reconnecting AAD. I've had this issue before TAP was forced upon us and the user can just login as usual. Now I have to spend a half hour rebuilding the users profile. Not a fan of this feature that is supposedly in private preview and turned OFF on my tenant.

    1 person found this answer helpful.
  2. Marilee Turscak-MSFT 34,036 Reputation points Microsoft Employee
    2022-04-01T21:54:02.86+00:00

    Hi @Jason Bradford ,

    I understand that your users are being prompted to enter a Temporary Access Pass even though you have TAP disabled for your domain.

    I assume that you have already confirmed that it is disabled in the two portal settings:

    Azure Active Directory >Security > Authentication methods >Temporary Access Pass > No
    Portal.azure.com > User >Authentication method >Temporary Access Pass

    These documents indicate that windows 10 web sign-in enables temporary access pass from the endpoint manager in Intune:

    Policy CSP - Authentication - Windows Client Management | Microsoft Learn

    Enabling web sign-in to Windows for usage with Temporary Access Pass – All about Microsoft Endpoint Manager (petervanderwoude.nl)

    It seems that the prompt for the TAP is enabled through Intune via web sign-in, but I have reached out to the product team to confirm as I have seen a number of users reporting this lately.

    0 comments
  3. Marilee Turscak-MSFT 34,036 Reputation points Microsoft Employee
    2022-04-01T22:00:06.12+00:00

    I got confirmation from the product team that we only support Web Sign-in with TAP. Web sign-in without tap is in private preview so there is no support for it at this point. https://learn.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1809#web-sign-in-to-windows-10

  4. Jan-Willem 0 Reputation points
    2024-02-16T08:09:33.13+00:00

    Is this still in preview? We have the same config as above. TAP is disabled and passwordless is configured. For some users it's working, for some they get the tap error and one is even asked to enter his password (even when disabling en re-enabling passwordless in Authenticator app).

    0 comments