🔐 Recipe · Entra ID & Identity

Generate a Temporary Access Pass (TAP) for a user via Microsoft Graph

Issue a time-limited passcode to bootstrap MFA, recover locked accounts, or onboard passwordless users in Entra ID

Complexity

Intermediate

Impact

identity + authentication + mfa + onboarding + account-recovery

Context

Why This Matters

A Temporary Access Pass (TAP) is a time-limited passcode issued by Entra ID that lets a user sign in and register or recover strong authentication methods (FIDO2 keys, Microsoft Authenticator, Windows Hello for Business). It is the recommended way to:

Bootstrap MFA for new hires on their first day
Recover access when a user loses their phone or security key
Onboard users into passwordless authentication without requiring an initial password
Re-enable access after a lost-device scenario without a full password reset

TAP is governed by the Temporary Access Pass authentication method policy in Entra ID. Before any TAP can be issued, the policy must be enabled and the target user must fall within its scope. Admins can issue a TAP from the Entra portal, Microsoft Graph, or PowerShell — this recipe covers all three.

Expected Outcomes

After completing this recipe you will have:

Verified the TAP authentication method policy is enabled for the target user
Generated a one-time or multi-use TAP with a defined lifetime (10 minutes to 30 days)
Securely delivered the pass to the user (it is only visible at creation time)
A clear audit trail in Entra ID sign-in and audit logs

Risks & Considerations

Security considerations

TAP is a bearer credential. Anyone who obtains the pass during its lifetime can sign in as the user. Deliver it through a trusted out-of-band channel (verified phone call, in-person handoff) — never email or chat it to an unverified address.
Prefer one-time, short-lived passes. Use isUsableOnce: true and the shortest lifetime that fits the workflow (60 minutes is a good default for onboarding).
Policy must allow the target user. If the TAP authentication method policy is disabled or excludes the user's group, the API call will return 403 Forbidden or 400 Bad Request.
Privileged roles. Issuing a TAP for a Global Admin or other privileged role requires the caller to hold an equal-or-higher role and may be blocked by Privileged Authentication Administrator requirements.
Existing TAP. A user can have only one active TAP. Creating a new one while an existing TAP is valid will fail — delete the existing method first.
Audit. TAP creation, use, and deletion are all logged in the Entra audit log under Authentication Methods. Review periodically for abuse.

Required Permissions

Permission	Why It's Needed
UserAuthenticationMethod.ReadWrite.All	Required to create, read, and delete the temporaryAccessPassMethods object on any user
Policy.Read.All	Needed to verify the TAP authentication method policy configuration before attempting creation
Authentication Administrator (directory role)	Minimum role to issue TAPs for non-admin users when calling Graph with delegated permissions
Privileged Authentication Administrator (directory role)	Required to issue TAPs for users holding administrative roles

The fastest way to get this done — just ask Dex. Copy the prompt below and paste it into your Dex conversation.

For IT Admins

Paste into Dex CoAdmin

Generate a 60-minute, one-time Temporary Access Pass for {user_upn} so they can bootstrap MFA. Check for and replace any existing TAP, then return the pass.

Try in Dex CoAdmin

For End Users

How an employee would ask Dex for help

I'm a new hire and I need a temporary code to set up the Authenticator app for the first time.

Try in Dex Playground