question

JasonBradford-3831 avatar image
0 Votes"
JasonBradford-3831 asked CameronHemingway-6640 commented

Why might users receive "To sign in, you'll need a new Temporary Access Pass..." error on web sign-in attempt if TAP is disabled for the domain?

Our AAD (M365) is federated to Google as the SAML IdP. This was supporting users logging into their Win 10/11 laptops with Web Sign-in using their Google credentials. Recently, users are getting an error as soon as they enter their UPN "To sign in, you'll need a new Temporary Access Pass. Contact your admin to get one." which is pretty odd since TAP is disabled for our domain. What changed and how do I get web sign-in working again?

windows-10-generalazure-active-directorywindows-11azure-ad-saml-sso
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered

Hi @JasonBradford-3831,

I understand that your users are being prompted to enter a Temporary Access Pass even though you have TAP disabled for your domain.

I assume that you have already confirmed that it is disabled in the two portal settings:

Azure Active Directory >Security > Authentication methods >Temporary Access Pass > No
Portal.azure.com > User >Authentication method >Temporary Access Pass

These documents indicate that windows 10 web sign-in enables temporary access pass from the endpoint manager in Intune:

Policy CSP - Authentication - Windows Client Management | Microsoft Docs

Enabling web sign-in to Windows for usage with Temporary Access Pass – All about Microsoft Endpoint Manager (petervanderwoude.nl)

It seems that the prompt for the TAP is enabled through Intune via web sign-in, but I have reached out to the product team to confirm as I have seen a number of users reporting this lately.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered CameronHemingway-6640 commented

I got confirmation from the product team that we only support Web Sign-in with TAP. Web sign-in without tap is in private preview so there is no support for it at this point. https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1809#web-sign-in-to-windows-10

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The linked information does not support your claim. Please link where this change to functionality was announced. Web SignIn was released over 3 years ago but I cannot find any reference to TAP before February last year. This indicates Web SignIn was not developed as a TAP vehicle so this is definitely a change of direction for this product. Was there any notice for this change?

Thanks

0 Votes 0 ·

Hi @JasonBradford-3831,

The article states, "Web sign-in is restricted to only support Azure AD temporary access pass . . . This is a private preview feature and therefore not meant or recommended for production purposes. This setting is not currently supported at this time."

I reached out to the product team to relay your question about the functionality announcement, as I also could not find any announcement.

0 Votes 0 ·

Please bring back the ability to use web sign-in. It makes so much sense and lets us login using conditional access and security keys. From a deployment and admin side is amazing. I was so upset when I found this and I was just trying the feature out and i fell in love when it was just gutted with no reason. Or let us use Security Keys as a multi factor unlock option with Pin....

0 Votes 0 ·