ALL INSIGHTS

From ‘Welcome1!’ to TAP

Zach Jones,
Engineering Manager & Lead Architect

|

May 1, 2025
Share:

Traditional password sharing has long been a thorn in the side of IT organizations. If you follow Microsoft’s trends, you’ll notice a growing shift away from user account passwords and the traditional requirement to change them regularly. Organizations that enforce multifactor authentication (MFA)—and require at least one passwordless method, such as Microsoft Authenticator—are more secure than ever.

However, even with MFA in place, vulnerabilities can arise. Identity and Access Management (IAM) and frontline support teams often introduce risk when sharing passwords with new users or performing password resets. How many new employees have logged in for the first time using “Welcome1!” or “Companyname1#“? Probably more than we’d like to admit.

To address these risks and improve security, Microsoft introduced Temporary Access Pass (TAP) a few years ago. TAP provides secure, time-bound credentials for onboarding users or enabling other credential-sharing scenarios—without compromising long-term account security.

How is TAP different from a normal password?

The key difference is in the name: “Temporary.” TAP allows administrators to define conditions such as:

Number of uses (one-time or multiple)

Lifetime (scheduled validity windows)

Security compliance (length and character requirements aligned with organizational standards)

One of TAP’s most valuable use cases is onboarding new users. IAM teams can issue a TAP in advance and align its activation with a user’s official start date. This allows hiring managers to receive the TAP ahead of time, with no risk of premature access.

TAP does not replace the need for user identity verification. If TAP credentials are distributed verbally, frontline support teams should still follow a strict verification process. For new hires, managers play a key role in confirming identity.

However, organizations can eliminate most scenarios involving shared passwords by requiring self-service password reset (SSPR) for all users—a recommended default setting within Entra ID.

Become a Passwordless Organization

TAP is a critical step toward a passwordless environment, but it’s just one piece of the puzzle. Microsoft Authenticator and Windows Hello for Business (WHFB) are also essential tools in enhancing authentication security.

Other MFA methods—such as email, text, and voice—are still available, but due to their vulnerabilities, we expect these to be phased out over time.

Learn more about TAP from Microsoft

Download Full Article