34 thoughts on “Enabling web sign-in to Windows for usage with Temporary Access Pass”

  1. Is there a way to make password sign-in the default while having the web sign-in as an available option? In my testing, enabling web sign-in makes it the default. If you check the registry password sign-in is still the default but that is not the experience to the user. This may be a Windows 10 glitch. What is your experience with this?

    • Hi George,
      I’m at least not seeing that behavior with newly deployed devices. I do know that there is a GPO setting (Assign a default credential provider) that could be used to set a default credential provider.
      Regards, Peter

  2. Is there a way to use this now? If we configure this we always must logon with Temporary Access Pass otherwise the logon failed. In our scenario we want to use this with MFA (Pushnotifciation or SMS). That’s not possible any longer? Users wil get: Access Pass must be used for Web Sign In. Contact your admin to get an Access Pass.

  3. Hi! Encountered this: AADSTS130506: Access Pass must be used for web sign in. Contact your admin to get an access pass. have been using web sign in as a option for a while now and all of a sudden when trying to log in with web sign in we suddenly get this error forcing TAP for web sign in. no clue as to why.

  4. Hi Peter,

    I’m hoping you can help me / point me in the right direction.

    We were previously using Web Sign-In exclusinvely with passwordless for PC’s in Meeting Rooms and other Shared PC’s.

    With recent changes, Web Sign In has stopped working with Passwordless and now only works with Temporary Access Pass.

    This has broken ALL shared Win10 PC’s across our entire client base, requiring an urgent change of direction.

    If we are in a true passwordless environmment, how should we be targeting User authentication on shared Windows 10 devices that are used infrequently by Users?

    We’re in a sticky situation with this and currently issuing TAP’s to all Users until we identify and implement the solution.

    Any help would be greatly appreciated.


  5. hello,

    thanks for this explanation of TAP. I try to use in autopilot/intune scenario but they doesn’t works.

    It works after enrollement and intune deployement, but not just after the autopilot configuration.

    I’m on the loggin password text box and i have not the “sign in option”, even with a bad password.
    If i’m loggin, the intune deployment continue, if i lock the session, i have sign in option directly.

    i’m on win10 20h2
    no mfa on my user

  6. Peter,
    I’ve tried setting it up, but i’m running into a problem when enrolling a new device.
    The first time logon screen works fine and asks for the TAP.
    The second time however we need to use the web sign-in function.
    The policy itself works fine, but new devices don’t receive the policy before the second login.
    Did you run into this issue and if so, how did you fix it?

    Thanks in advance

  7. Hi Peter:

    Thank you for this article. It has been very helpful.

    We are able to use TAP using Web sign in after initial onboarding using Auto Pilot. However, the option to use TAP and web sign in logo do not appear as part of Auto Pilot.

    We are able to login using Security Key as part of the Autopilot.

    Is TAP supposed to work with Autopilot? We appreciate your help and expert guidance.

      • Hi Peter:

        We have enabled TAP for all users. Here is what we are seeing.

        – TAP works for web app sign in
        – TAP works **AFTER** logging into Windows device for the first time.
        – TAP does NOT work while trying to login to the device fir the first time.

        The only option we see is Security Key (which works) and Password based authentication. If it helps we are also using third party IdP with Azure AD tenant in a federated mode.



        • Hi Ashwin,
          I don’t have recent experience with that combination. What I can do is run some tests after my vacation, to see what the current behavior is in an (Azure) AD only environment. Even in that scenario, the behavior has been on and off..
          Regards, Peter

  8. We have been testing this for a few months now, until today …… a number of Users on different computers all of a sudden are unable to sign-in with a “New User” login and no option to do anything on device. The username behind this display name is DefaultUser100000. Only fix is to shutdown and turn on again a number of times before getting option for “Other User” then signing in.
    I have seen a few reports that this is due to the Web Sign-in, but wanted to get others feedback on this.

  9. Does this work at all for hybrid joined devices? Out IAM team would love to move to passwordless in general, but the being able to log onto a device in the first place to configure your MFA/Win Hello/ Fido2 key is a bit of a blocker- especially as we require you to set those up from a company device behind Conditional Access rules.
    Thank You

  10. Hi,

    trying to use TAP during the device enrollment to Intune (AAD only) without providing the password to the users.
    During the first sing-in screen it allows me to enter TAP (so far so good). On the following sign-in, only password and smart card option are provided as sign-in method.

    As a workaround I have enabled web sign-in, but I still don’t get the web sign-in option on the second sign-in during the device enrollment. Once the device is enrolled, the Web- sign-in is available.

    Any help would be appreciated!



Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.