Our management team is wary of using TAP (Temporary Access Pass) authentication in our Entra tenant because it's perceived as a potential security risk. The main concern is that when a TAP is enabled, it can happen without users being aware of it—unlike a password change, they won't receive any notifications. This poses a threat, especially if an admin were to maliciously exploit this capability or get tricked into issuing a TAP. Is there a way to enhance security around TAP activations, such as implementing role-based access or multi-admin approval processes?
2 Answers
One way to secure TAP is to ensure it's behind Privileged Identity Management (PIM) and requires approval from trusted individuals. If an admin changes the account password, users will realize quickly when their access is blocked, but ideally, they should be using passwordless methods like Windows Hello.
It's also good to remember that TAP usage is logged, giving you some oversight there.
To mitigate risks effectively, lock TAP behind PIM and ensure only trusted admins have the power to approve its issuance.
TAP has built-in time limits and can be set for single use, making it a strong MFA option for initial provisioning. Other verification methods like SMS or email can be intercepted, while TAP is far more secure.