Death to Passwords

Written By Matt Woestehoff

By Matt Woestehoff

Passwordless Sign-In with Microsoft 365: Using Temporary Access Pass for a Seamless Setup

Let’s be honest. Secure passwords are the worst. So why not move beyond passwords to a better experience for users, and a higher level of security for your organization?

As IT people, we’re constantly balancing security with user experience. One of the best moves we can make today is to eliminate passwords altogether from a user’s responsibility. With Microsoft Entra ID (formerly Azure AD), enabling passwordless sign-in is not only possible—it’s practical. And with Temporary Access Pass (TAP), we can provision new users without ever revealing their password.

In this post, we’ll walk through how to:

  • 1. Enable passwordless authentication in Microsoft Entra ID

  • 2. Issue a Temporary Access Pass

  • 3. Guide users to complete setup without ever needing a password


Step 1: Enable Passwordless Sign-In Methods in Entra ID

First, make sure you have the right license: Microsoft Entra ID P1 or P2 (included in Microsoft 365 E3/E5)

Then:

  1. Go to the Microsoft Entra admin center

  2. Navigate to: Identity > Authentication methods > Policies

  3. Enable at least one of the following:

    1. Microsoft Authenticator (passwordless, and preferred for our Apple users)

    2. FIDO2 security keys (if you have them)

  4. Set scope to “All users” or target specific groups (recommended for pilot rollouts).

Step 2: Enable and Configure Temporary Access Pass (TAP)

  1. Still under Authentication methods, select Temporary Access Pass

  2. Enable TAP and define:

    1. Default lifetime (e.g. 10 minutes to 1 day)

    2. One-time use (recommended for onboarding)

    3. Targeted users or groups

This gives you a secure, time-bound code users can use once to register their passwordless methods.


Step 3: Create a New User (No Password Required)

When adding a user via Microsoft 365 Admin Center or Entra ID:

  1. Create the user account without sharing the default password

  2. Immediately assign a Temporary Access Pass:

    1. In the user profile: Authentication methods > Add method > Temporary Access Pass

    2. Choose duration and whether it’s one-time


Step 4: Send the TAP and Enrollment Instructions

Send the user:

  • Their username (UPN)

  • The TAP code

  • A link to the registration portal: https://aka.ms/mysecurityinfo

  • When they sign in, they’ll use the TAP code to register:

    • Microsoft Authenticator app (push or face/fingerprint)

    • FIDO2 key (if available)

They’ll never see or set a traditional password.

Apple Device Strategy: Why This Works Even Better with MDM

For Mac environments, this method provides even more value using MDM and Platform SSO:

  • You don’t need to bind Macs or sync local passwords

  • If you’re using an MDM (and you should be), you can enforce FileVault and escrow the recovery key centrally

  • The local Mac password becomes decoupled from cloud identity

  • Cloud access is secured via passwordless login (Authenticator, FIDO2), while device access is managed by MDM

Controversial, sure, but this approach simplifies your fleet management while improving security posture. Users can authenticate into cloud services without ever tying that experience to their Mac login.

Why This Matters

Better security: Eliminates phishing and brute-force risk

Cleaner onboarding: No initial password confusion or resets

User experience: Setup feels modern, intuitive, and fast

Support savings: Fewer “forgot password” tickets

Apple-first friendly: Local passwords stay local, while identity is managed securely via M365 and Entra

At the end of the day, more security breaches happen due to password mishaps by users in cloud systems than any other method. By removing that, we move forward for users and for security.

Want to learn more? Contact us today!

Matt Woestehoff
Next

Apple WWDC 2025 Enterprise Highlights: MDM Migration, Declarative Management, Platform SSO, and More