Modernizing Mobility

 

Using TAP to Enroll a Device into Windows Hello for Business

In today's IT environments, security and user convenience are paramount. One way to streamline secure access is by using Temporary Access Pass (TAP) to enroll devices into Windows Hello for Business. This blog will guide you through the steps.

What is TAP

Temporary Access Pass (TAP) is a time-limited passcode that can be used to onboard a device into Windows Hello for Business. TAP simplifies the initial setup process and helps users quickly and securely access their work environments.

• Sign in to the Azure portal using an account with global administrator permissions.
• Search for and select Azure Active Directory (Entra ID), then choose Security from the menu on the left-hand side.
• Under the Manage menu header, select Authentication methods > Policies.
• From the list of available authentication methods, select Temporary Access Pass.

Set up Temporary Access Pass for Users

• Global Administrators can create, delete, and view a Temporary Access Pass on any user (except themselves)

• Privileged Authentication Administrators can create, delete, and view a Temporary Access Pass on admins and members (except themselves)

• Authentication Administrators can create, delete, and view a Temporary Access Pass on members (except themselves)
• Sign in to the Azure portal as either a Global administrator, Privileged Authentication administrator, or Authentication administrator.
• Select Azure Active Directory, browse to Users, select a user, then choose Authentication methods.
• Select the option to Add authentication methods.
• Below Choose a method, select Temporary Access Pass.
• Define a custom activation time or duration and select Add. (1 hour preferable)

After you enable a tenant-level TAP policy, as explained in earlier steps, you can create a Temporary Access Pass for a user in Azure AD. These roles can perform the following actions related to a Temporary Access Pass.

Once added, the details of the Temporary Access Pass are shown. 

• Make a note of the actual Temporary Access Pass value. You provide this value to the user via personal email, work email (if accessible via an existing device), SMS, phone, or in person.

• 
  
  Note:  You can't view this value after you select Ok.

How to enroll your device to Windows Hello for Business

Step 1: Enroll the Device

1. Start Device Setup

   • Go to Settings >> Accounts  >> Sign-in Options >> PIN (Windows Hello )

2.  Set Up Windows Hello For Business

   • Click on OK
   • 
     
     

3. Set up Temporary Access Pass

   • Click on TAP 
   • 
     
     

4. Set up Temporary Access Pass

   • Put the TAP code
   • 
     
     

5. Setup your PIN

   • 
     
     

6. All set up now