This week still continues the journey through Windows Hello for Business. The last few weeks were all about direct Windows Hello for Business functionalities, while this week is all about providing alternatives besides Windows Hello for Business. When looking at standard Windows functionality, those alternatives are FIDO2 security keys and the relatively new combination of the web sign-in credential provider with Temporary Access Pass (TAP). The web sign-in credential provider itself is nothing really new, but the ability to use it in combination with TAP is something relatively new. Simply because TAP is relatively new. TAP is a time-limited passcode that basically temporarily enables users to sign-in. That sign-in is focused on getting users up-and-running with passwordless authentication and on helping users recover access to their account. And all of that without the usage of a password, as TAP satisfies the needed strong authentication requirements. The best thing is that – in combination with the web sign-in credential provider – TAP can even be used with the sign-in to Windows. That enables users to get quickly up-and-running and enables IT administrators with an alternative method to sign-in to a device when really needed. This post will provide the required configurations and the user experience, by going through the following.
- Enabling web sign-in as credential provider
- Enabling Temporary Access Pass as authentication method
- Creating a Temporary Access Pass for a user
- Experiencing web sign-in in Windows with Temporary Access Pass
Important: At the moment of writing, the TAP authentication method is still an Azure AD public preview feature.
Note (as mentioned by Daniel Stefaniak): The combination of web sign-in with TAP is supported only for bootstrap scenarios for other unlock methods. Web sign-in is not to be used as your daily driver for login. Also, unlocks/logins with web sign-in do not and will not get single sign-on to on-premises resources.
Enabling web sign-in as credential provider
The web sign-in credential provider is supported on Azure AD joined devices and is available with Windows 10 version 1809 and later. That credential provider enables support for credentials that are normally not available on Windows. It basically adds a web sign-in option via Azure AD that can be used with passwordless phone sign-in and, more importantly, that can be used with TAP. That would create an option for users to sign-in, without a password, to register their passwordless authentication method. And it’s also a more IT administrator friendly method, compared to My Security Info, as it doesn’t conflict with Conditional Access when assigning policies to All cloud apps. To enable the web sign-in credential provider by using the Settings Catalog of Microsoft Intune, follow the eight steps as described below.
- Open the Microsoft Endpoint Manager admin center portal and navigate to Devices > Windows > Configuration profiles
- On the Windows | Configuration profiles blade, click Create profile
- On the Create a profile blade, provide the following information and click Create
- Platform: Select Windows 10 and later to create a profile for Windows 10 devices
- Profile: Select Settings catalog to select the required setting from the catalog
- On the Basics page, provide the following information and click Next
- Name: Provide a name for the profile to distinguish it from other similar profiles
- Description: (Optional) Provide a description for the profile to further differentiate profiles
- Platform: (Greyed out) Windows 10 and later
- On the Configuration settings page, as shown below in Figure 1, perform the following actions
- Click Add settings and perform the following in Settings picker
- Select Authentication as category
- Select Enable Web Sign In as setting
- Select Enabled. Web Sign-in will be enabled for signing in to Windows with Enable Web Sign In and click Next
- On the Scope tags page, configure the required scope tags and click Next
- On the Assignments page, configure the assignment and click Next
- On the Review + create page, verify the configuration and click Create
Note: Keep in mind that this is mainly a useful configuration when completely transitioned to passwordless authentication, as it currently also enables users to simply use username-password to sign-in.
Enabling Temporary Access Pass as authentication method
The TAP authentication method is currently in public preview. That authentication method provides users with a time-limited passcode that even satisfies the multi-factor authentication requirement in Conditional Access. That enables users to register or recover their passwordless authentication methods. To enable TAP as an authentication method for users, the IT administrator can enable the TAP authentication method policy. That authentication method policy contains defines the different settings of TAP, such as the users that can use TAP and the lifetime of TAPs. To enable the TAP authentication method, follow the four steps described below.
- Open the Azure portal and navigate to Azure Active Directory > Security > Authentication methods > Policies
- On the Authentication methods | Policies blade, select Temporary Access Pass
- On the Basics tab of the Temporary Access Pass settings page, provide the following information and click Save
- ENABLE: Select Yes to enable the use of TAP as an authentication method
- TARGET: Select All users or select Select users to specify the users that can use TAP as an authentication method
Note: Keep in mind that it’s possible to create a TAP for any user, but only users that are targeted with the authentication policy can actually sign-in with TAP.
- On the Configure tab of the Temporary Access Pass settings page, provide the following information and click Save
- Minimum lifetime: Specify a value between 10 – 43200 minutes (default: 1 hour) as the minimum lifetime
- Maximum lifetime: Specify a value between 10 – 43200 minutes (default: 24 hours) as the maximum lifetime
- Default lifetime: Specify a value between 10 – 43200 minutes (default: 1 hour) as the default lifetime
- One-Time: Specify true or false (default: false) to define if it can be reused within it’s lifetime
- Length: Specify a value between 8 – 48 characters (default: 8) as the length
Creating a Temporary Access Pass for a user
The TAP can be created for users in Azure AD by any Global administrator, Privileged authentication administrator and Authentication administrator. To create a TAP for a user, the IT administrator can add an authentication method for the user. The following four steps walk through the manual creation of a TAP for a user in Azure AD.
- Open the Azure portal and navigate to Azure Active Directory > Users > Select the required user > Authentication methods
- On the Selected user | Authentication methods page, click Add authentication method
Note: At this moment it’s required to switch to the new experience by clicking on Switch to the new user authentication methods experience! Click here to use it now.
- On the Add authentication method blade, provide the following information and click Add
- Choose method: Select Temporary Access Pass to add the authentication method for the user
- Do not select Delayed start time unless the usage is not directly required
- Activation duration: Specify the activation duration when the default is not long enough
- One-time use: Choose wether the user can use it more than once within its lifetime
- On the Temporary Access Pass details blade, copy the TAP and click OK
Important: Keep in mind that it’s not possible to view a TAP after it’s been created.
Tip: The New-MgUserAuthenticationTemporaryAccessPassMethod cmdlet can be used for scripting the creation.
Experiencing web sign-in in Windows with Temporary Access Pass
Experiencing the behavior with the web sign-in credential provider in Windows in combination with TAP is pretty straight forward. Simply start a configured Windows 10 device, or Windows 11 device, and click on Sign-in options. That will show the available credential providers, including the web sign-in credential provider. Figure 5 shows an example of a Windows 10 device and Figure 6 shows an example of a Windows 11 device. Both after clicking on the web sign-in credential provider. As these devices also have Windows Hello for Business multi-factor unlock, there will be an additional message stating that the organization requires additional sign-in security. That additional sign-in security can also be configured after signing in with a TAP.
To actually use the web sign-in credential provider, the user should click on Sign-in. That will open a browser dialog that will enable the user to sign-in. When a TAP is available for the user, that sign-in dialog will automatically ask the user to enter a TAP. Figure 7 shows an example of that behavior on Windows 10 and Figure 8 shows an example of that behavior on Windows 11. When no TAP is available for the user, that sign-in dialog will just ask for a password.
Note: The good thing is that a TAP can even be used during Windows Autopilot. On Windows 11 that’s a seamless experience, as the initial sign-in automatically detects that the user has a TAP available. On Windows 10 that’s currently a slightly less experience, as it requires the user to provide a wrong password and to manually select a different sign-in method.
For more information about the web sign-in credential provider and the Temporary Access Pass authentication method, refer to the following docs.
- What’s new in Windows 10, version 1809 for IT Pros – Web sign-in to Windows 10 | Microsoft docs
- Policy CSP – Authentication – EnableWebSignIn | Microsoft docs
- Temporary Access Pass is now in public preview | Microsoft Tech Community
- Configure Temporary Access Pass in Azure AD to register Passwordless authentication methods | Microsoft docs