Our AAD (M365) is federated to Google as the SAML IdP. This was supporting users logging into their Win 10/11 laptops with Web Sign-in using their Google credentials. Recently, users are getting an error as soon as they enter their UPN "To sign in, you'll need a new Temporary Access Pass. Contact your admin to get one." which is pretty odd since TAP is disabled for our domain. What changed and how do I get web sign-in working again?
I understand that your users are being prompted to enter a Temporary Access Pass even though you have TAP disabled for your domain.
I assume that you have already confirmed that it is disabled in the two portal settings:
Azure Active Directory >Security > Authentication methods >Temporary Access Pass > No
Portal.azure.com > User >Authentication method >Temporary Access Pass
These documents indicate that windows 10 web sign-in enables temporary access pass from the endpoint manager in Intune:
Policy CSP - Authentication - Windows Client Management | Microsoft Docs
It seems that the prompt for the TAP is enabled through Intune via web sign-in, but I have reached out to the product team to confirm as I have seen a number of users reporting this lately.
I got confirmation from the product team that we only support Web Sign-in with TAP. Web sign-in without tap is in private preview so there is no support for it at this point. https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1809#web-sign-in-to-windows-10
The linked information does not support your claim. Please link where this change to functionality was announced. Web SignIn was released over 3 years ago but I cannot find any reference to TAP before February last year. This indicates Web SignIn was not developed as a TAP vehicle so this is definitely a change of direction for this product. Was there any notice for this change?
Thanks
The article states, "Web sign-in is restricted to only support Azure AD temporary access pass . . . This is a private preview feature and therefore not meant or recommended for production purposes. This setting is not currently supported at this time."
I reached out to the product team to relay your question about the functionality announcement, as I also could not find any announcement.
Please bring back the ability to use web sign-in. It makes so much sense and lets us login using conditional access and security keys. From a deployment and admin side is amazing. I was so upset when I found this and I was just trying the feature out and i fell in love when it was just gutted with no reason. Or let us use Security Keys as a multi factor unlock option with Pin....
57 people are following this question.
