Step-by-Step Guide : How to use Temporary Access Pass (TAP) with internal guest users

Passwords are fundamentally weak and vulnerable to being compromised. Even enhancing a password only delays an attack; it does not render it unbreakable. Multi-Factor Authentication (MFA) offers more security but still depends on passwords. This is why passwordless authentication is a more secure and convenient alternative.

Source : https://learn.microsoft.com/entra/identity/authentication/media/concept-authentication-passwordless/passwordless-convenience-security.png

Microsoft Entra ID supports password less authentication natively. It supports six different password less authentication options.

• Windows Hello for Business
• Platform Credential for macOS
• Platform single sign-on (PSSO) for macOS with smart card authentication
• Microsoft Authenticator
• Passkeys (FIDO2)
• Certificate-based authentication

Based on the organisation's requirements, they can select the most convenient options. However, the initial setup requires a method to authenticate the user before onboarding other passwordless authentication methods. For this, we can use:

1)      Existing Microsoft MFA methods

2)      Temporary Access pass (TAP)

A Temporary Access Pass (TAP) is a time-limited passcode that can be configured for single use or multiple sign-ins.

Organisations not only have internal users to manage but also guest users. Until now, the TAP method was only available for internal users, and guest users were not permitted to use this method. This makes sense because if guest users also need to use passwordless authentication, it should occur in their home tenant.

But now Entra ID supports TAP for “Internal Guest” users.

Internal Guests

Guest users are typically categorised as user accounts that exist in a remote tenant. However, some organisations prefer to use user accounts in their own directory but with guest-level access. This is typically for contractors, suppliers, vendors, etc. These are known as 'internal guest accounts'. Such accounts were also used for guest users in the past when B2B collaboration wasn't in place.

In this demo I am going to demonstrate how to use TAP with internal Guest user.

Enable TAP as Authentication method

Before we configure TAP for user we need to make sure TAP is enabled as authentication method. To do that,

1. Log in to the Entra portal as an Authentication Policy Administrator or higher.
2. Navigate to Protection > Authentication methods > Policies.
3. Click on Temporary Access Pass

1. Ensure it is enabled and the target is defined. If not, make the necessary changes and click Save.

Create TAP for Internal Guest User

I already have an internal guest user for this task. As you can see below, the user type is Guest, but the user is still part of the same tenant.

To create TAP,

1. Click on the selected user from the Entra ID users list to go to user properties.
2. Next, Click on Authentication methods

1. Then Click on + Add authentication method

1. From the drop-down, select the Temporary Access Pass method. In the settings window, make the adjustments based on the requirements and then click on Add.

1. It will create TAP as expected.

Testing

To verify the configuration, I am attempting to log in as the test user. This is the user's very first login.

As expected, the initial login prompts for the TAP.

After a successful login, it allows me to configure the account with passwordless authentication. As we can see, the TAP for the internal guest feature is working as expected.