Will this only work for Azure AD Cloud groups vs AD synced groups?

Hi @Chris_Clark_Netrix - If I understand correctly you are asking about scoping to users and groups - the answer is that you can scope the policy to any group. 

Sorry, I phrased that wrong.  @Inbar Cizer Kobrinsky Does this only work for Azure AD cloud only accounts or can it work with AD Synced accounts as well?

@Chris_Clark_Netrix  - you can issue Temporary Access Pass for cloud and federated accounts. If a federated user has a valid pass, they will be able to use it for cloud authentication and register a passwordless method. From that point on, the user can be federated but if using passwordless method - they will be able to do cloud authentication. 

I understand this is primarily designed to help users get registered for passwordless - but for customers who are still using passwords/MFA, can it be used by IT to provide temporary access to a user's account (say, to log into their AzureAD joined workstation) without having to reset their password? Or for say the ability to start the autopilot process on their laptop for them? If so, i assume the login will still be subject to MFA challenge, or does TAP bypass that? Thanks!

@Unearth I saw this when reading about the pass. 

https://www.inthecloud247.com/my-first-experience-with-temporary-access-pass-during-windows-autopilo...

It definitely appears to work with Autopilot but it does appear to have limitations for Hybrid AD joined computers.

@Inbar Cizer Kobrinsky any dates to enable back the TAP for autopilot. It has been disabled last week

@Inbar Cizer Kobrinsky we're doing a pilot this week with 100 users using this. One question, we're creating new Azure AD (Cloud Only) users for this. By default when you create these you have to create an initial password (or let Azure AD autogenerate one for you). This means the users will actually have a password under the hood (even though never used).

Comments? Any plans to make it possible to create users that truly don't have a password or am I missing something?

This is great feature but we are observing new risk and it is hackers are moving toward hacking mobile devices and in this case, they would have access to Authenticator apps and credentials. 

In addition, hacking phone are much easier than Windows, so this is a new concern.

But options like Windows Hello are great passwordless methods.

@Jonas Back Regarding your last question. It is still an ongoing task to become really passwordless as stated in the following Microsoft Mechanics video: https://youtu.be/GfKeiKA8aEo?t=63

Currently it is just use the passsword less :D

I guess that as long as Microsoft 365 Roadmap | Microsoft 365 has the task to deploy TAP still listed as "Rolling out" new way to remove need for user passwords can't be enabled. 

@Andreas_Rinner that is correct! I actually reached out to a program manager at Microsoft and he confirmed that it's still required to set an initial password but they will solve it in the future.

do you know what the correct saml2.0 claim is called for this? something with urn:oasis:names.....   ?

@Inbar Cizer Kobrinsky any plans/roadmap items for making this available in GCC/GCCH?

Any update on using TAP (temporary access pass) to set-up a device after AutoPilot predeployment and also to enroll Windows Hello for Business?
Otherwise it kinda defeats the purpose of having TAP...

@Mark Gonzalez, @Sander de Wit - both your requests are in the works as part of bringing TAP to general availability. 

@Libby Brown Thanks!  Any thoughts when it might be updated/added to the roadmap site? 

https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=Temporary%2CAccess%2CPass

Thanks again Libby!

Mark 

Is there a reason this doesn't work on OOBE?

It's the most common requirement we have at clients to stop sharing passwords for provisioning legacy complex apps that can't be deployed via MDM.

UPDATE!!!
After allowing enough time for Azure sync to complete, user can now use TAP successfully. One thing have to remember, that any changes in cloud can take time to replicate before changes are applied. 

I configured our tenant per the documentation, but so far my test account that I am using continues to receive error: Temporary Access Pass sign-in was blocked due to User Credential Policy. I have all users assigned to combined security registration feature that forces them to use single registration portal. Any insight as to what may be cause for not allowing access after TAP accepts the assigned temp password. 

@wilhil We hear you and are working on adding TAP support for OOBE experiences. 

After if we enable the temporary pass from Azure AD - Security - Authentication methods. I understood that we need to enable the authentication methods explicitly for each user to use Temporary Access. Is there a way to validate or identify for how many users the temporary access is enabled?

Appreciate your response.

Regards,

Hemanth