top of page
Search

Conditional Access Essentials: Managing Exclusions with Identity Governance and Temporary Access Pass

  • welka2111
  • 3 days ago
  • 9 min read
Conditional Access

Introduction

Welcome back to another post in my series on conditional access essentials.

By now, if you’ve been following along, you probably feel like you’re in a good place. You’ve set up some conditional access policies, maybe tested them out, and you’re confident you could roll them into a production tenant. First of all - well done. But also… let’s not get too comfortable.

Here’s the reality: conditional access is powerful, but sooner or later you’re going to bump into real-world problems that theory doesn’t prepare you for.

Think about it:

  • You’ve just switched on MFA for everyone - how do you onboard new users without locking them out before they even start?

  • One of your employees loses their phone and suddenly can’t use Authenticator - what then?

  • Your organisation blocks sign-ins from certain countries - but what happens when someone has to travel there for work?

These are the kinds of challenges that can trip up even seasoned IT pros. That’s why today we’re going to look at how to manage exclusions in a smart way, without leaving big security holes.

Specifically, we’ll cover two tools in Microsoft Entra that can make life easier:

  • Temporary Access Pass (TAP): a secure way to onboard and recover users.

  • Identity Governance (Access Packages): a structured way to manage exceptions like travel access.

Let’s break it down.


Table of Contents



Temporary Access Pass (TAP)

A Temporary Access Pass (TAP) is a time-limited code that allows a user to sign in when they don’t yet have a secure authentication method set up - or when they’ve lost access to one.

Think of it like a temporary door key:

  • You can set it to expire after a certain time.

  • It can be single-use or multi-use.

  • It always satisfies a Conditional Access requirement for MFA (including 'Modern MFA')

  • It’s randomly generated and can never be retrieved once created.

So why is this useful? Because it avoids the classic “MFA chicken and egg” problem.

Without TAP, you often end up in a loop:

  1. The user logs in for the first time.

  2. Conditional Access demands MFA.

  3. But they don’t have MFA set up yet… so they’re stuck.

With TAP, an admin can give them a short-lived passcode. They log in, register their proper authentication methods (Authenticator, passkey, FIDO2, etc.), and carry on.

It’s equally useful when a user loses their phone - instead of messing around with endless resets, you just issue a TAP, and they’re back in business.


Why TAP matters for conditional access?

Let’s look at a real-world scenario.

  • Devices may be provisioned with Autopilot at your organisation.

  • Conditional Access requires:

    1. MFA for all apps.

    2. MFA to register security information.

    3. A compliant (corporate) device to register security information.

Result? Deadlock. The user can’t log in without MFA, but they can’t set up MFA without logging in. And device compliance may not even kick in during the initial setup process.

TAP solves this:

  • The admin issues a TAP.

  • The user signs in smoothly, because TAP counts as MFA.

  • They go to aka.ms/mysecurityinfo and add proper sign-in methods.

  • When the TAP expires, they use their registered strong authentication going forward.


Recommendation:  Use TAPs to bootstrap new users and handle recovery. They protect registration flows without endless admin intervention.

NOTE: If you’re using interrupt mode for MFA or Self-Service Password Reset, these aren’t yet compatible with registering passkeys (FIDO2). That means users might need to go through two steps: first complete the interrupt mode setup, then manually register their passkey before the TAP expires. Reference: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-registration-mfa-sspr-combined

TIP: Provide your users with clear documentation and step-by-step guides for registering security information. It’ll save you a lot of support tickets.


How to configure and issue TAPs

Enable TAP in Entra

  1. Sign in to the Microsoft Entra admin centre as an Authentication Policy Administrator (or higher).

  2. Go to Entra ID > Authentication methods > Policies.

  3. Select Temporary Access Pass from the list.

    Temporary Access Pass (TAP)

  4. Click Enable, then choose which users or groups you want to include.

    Temporary Access Pass settings screen with "Enable" toggled on. Options for "All users" selected in targeting. Text describes TAP usage.

  5. (Optional) Configure settings such as lifetime, length, or start time.

    Settings screen showing options for enabling or targeting with configurations for lifetime and length, featuring an "Edit" button.

  6. Save.

NOTE: Only users covered by this policy can sign in with a TAP.


Create a TAP for a User

Once enabled, you can generate a TAP for an individual user:

  1. Sign in as an Authentication Administrator.

  2. Navigate to Entra ID > Users, and select the user.

    Microsoft Entra admin center interface showing user management options. "All users" is highlighted, with "44 users found" displayed.

  3. Open Authentication methods > Add authentication method.

    User interface for authentication methods with “Add authentication method” button highlighted. Features and options like Microsoft Authenticator and Temporary Access Pass are listed.

  4. Select Temporary Access Pass.

    User interface for selecting an authentication method. Options include Email, Phone number, Temporary Access Pass, QR code. Cursor on Access Pass.

  5. Configure duration and activation time.

    Authentication setup screen for Temporary Access Pass. Options include delayed start time, activation duration slider, and one-time use toggle.

  6. Save.

Important: You’ll only see the TAP value once. Make a note of it and pass it securely to the user.

Screenshot of Temporary Access Pass details with pass ID, secure registration link, validity times, and a security reminder in a pop-up box.

Use a TAP

  • The user goes to aka.ms/mysecurityinfo.

  • They enter their UPN (e.g. user@contoso.com).

  • If they’re in the TAP policy, they’ll be prompted to enter their TAP.

    Login screen prompting for a Temporary Access Pass with an option to show it. Includes a "Sign in" button and partial email address.

  • Once signed in, they can register MFA methods and delete the TAP.

    Security info page showing sign-in methods: password, Microsoft Authenticator on iPhone, and temporary access pass. "Add sign-in method" highlighted.

That’s the TAP lifecycle in a nutshell.



***


Identity Governance

Identity Governance in Microsoft Entra ID is all about making sure the right people have the right access to the right resources, and only for as long as they actually need it.

This isn’t just about tightening security; it’s also about reducing admin overhead and giving users a smooth, self-service experience. Identity Governance is built around a few key capabilities:

  • Access Reviews - regularly check if people still need access.

  • Entitlement Management - automate and streamline access requests, approvals, and lifecycle.

  • Privileged Identity Management (PIM) - control and monitor privileged accounts. (To see how you can use conditional access to require reauthentication every time that someone activates a PIM role check out this post.)

Let’s break these down further.


Entitlement Management

At its core, Entitlement Management is about managing access at scale. Instead of IT manually granting (and forgetting to revoke) permissions, you can:

  • Automate access requests and approval workflows

  • Define who can request access and under what conditions

  • Set expiry dates so temporary access doesn’t linger

  • Run periodic reviews to confirm ongoing need

  • Cover both internal users and external collaborators (like vendors or partners).

Think of it like a self-service access shop with built-in guardrails. Users can request access to apps, Teams, groups, or SharePoint sites, and Entra handles the workflows automatically in the background.


Some real-world examples of why this matters:

  • A travelling employee can request temporary access to log in from a blocked country.

  • A contractor can get into a specific Team for the duration of a project.

  • An auditor can request read-only access to sensitive reports, which is then automatically revoked when their review ends.

The key benefit is lifecycle automation - onboarding, access changes, and offboarding - without IT constantly in the loop, but still with complete visibility and control.


Access Packages

Now that you understand Entitlement Management, Access Packages will make a lot more sense. These are the building blocks that live inside Entitlement Management. You create Access Packages to bundle together apps, groups, and resources, and then publish them for users to request.

They can include:

  • Group or Team membership

  • Applications (SaaS or custom apps)

  • SharePoint sites

  • Even Microsoft 365 licences (via group-based licensing).

Instead of IT manually adding people to each of these, the user requests the package, approvals happen (if required), and it’s all automated.


So what does this have to do with conditional access exclusions?

You can build Access Packages that temporarily put a user into a group which is excluded from a specific CA policy. For example:

  • Normally, you block logins from outside your home country.

  • But you create a “Travel” Access Package that adds the user to a group excluded from that geographic block.

  • When they come home, the package expires, and the exclusion is automatically removed.

It’s neat, self-service, and doesn’t leave permanent holes in your policies.


Example scenario: secure travel access

Let’s make it concrete.

In a previous post, I showed how to block access from unauthorised locations. Let’s reuse that scenario.



Imagine Adele, one of our users, has a business trip to France. Normally, we block France since our company doesn’t have an office there. But now she needs full access to Microsoft 365 apps while travelling.

Here’s what we do:

  1. Create a sub-persona group, e.g. CA-Internals-Travel. Blog post covering the creation of personas can be found here. Example:

    Microsoft Entra admin center interface showing "New Group" creation with options for group type, name, and roles. Settings menu on the left.

  2. Create a named location, e.g. Internals-Travel-ApprovedCountries. Blog post covering the creation of named locations can be found here. Example:

    Microsoft Entra Admin Center screen showing "Conditional Access" setup. "New location" dialog for countries with options to include France, create or cancel.

  3. Build a conditional access policy that only applies to CA-Internals-Travel persona, with geo restrictions scoped to the new named location. Personally, I prefer the block approach, even though you have more flexibility using grant controls.

    In this example, the policy will:

    • Block access to all apps for the CA-Internals-Travel persona

    • From all locations

    • Except for the named location “Internals-Travel-ApprovedCountries”, which includes France. Config details below:

    Conditional Access policy screen showing configuration settings for user access control based on network location, with options to include or exclude specific networks.


    A data table with pink headers lists access control info: users, resources, and network locations. Grant control is set to "Block."


  4. Exclude the CA-Internals-Travel persona from your conditional access policy that blocks access from an unauthorised countries (my policy was called 011-Global-AllApps-UnapprovedLocation-Block). The configuration details are shown below and are also covered earlier in this post.

    Conditional Access policy interface with settings to block unapproved locations. Users, resources, network details, and exclusions are shown.

    A table listing access rules with purple headers. Includes user criteria, app resources, network locations, and a grant control labeled "Block".

  5. Set up an Access Package that Adele can request, which temporarily puts her in CA-Internals-Travel.

This way:

  • Adele can work securely in France.

  • IT doesn’t have to fiddle with policies every time someone travels.

  • Exclusions are temporary, tracked, and reviewed.


Creating an access package

Step 1: Start the creation process

  1. Sign in to the Microsoft Entra admin centre as at least an Identity Governance Administrator.

  2. Go to Identity Governance > Entitlement management > Access packages.

  3. Select + New access package.

    Microsoft Entra admin center interface showing "Identity Governance," "Access packages," and a highlighted "New access package" button.


Step 2: Configure basics

On the Basics tab:

  1. Give your access package a name and description.

    • Users will see this when they request access, so make it clear and meaningful.

      Admin center interface showing "New access package" creation. Details include name "Access Package: Internals Travelling" and catalog "General".

  2. Select the catalog where this package should live.

    • Example: You might have a Sales catalog managed by a catalog owner who looks after sales resources.

NOTE: If you don’t see a suitable catalog and you have the right permissions, you can create a new one on the fly. The package and its resources will then live in that catalog.

Step 3: Add resource roles

Now decide which resources the package should provide access to:

  1. Choose a resource type: Groups and Teams, Applications, or SharePoint sites.

    Microsoft Entra admin center shows "New access package" section. A red arrow points to "+ Groups and Teams" under "Resource roles."

  2. Pick the specific resources.

    • If you’re an Identity Governance Admin or catalog owner, you can also add resources that aren’t yet in the catalog (these get added automatically). In my case, my resource role is going to be a member of the CA-Internals-Travel group (persona)

      Microsoft Entra admin center interface showing group selection. "CA-Internals-Travel" is checked. Navigation menu is on the left.

  3. Select the role users should get for each resource (e.g., group member, application user). In my example, it’s member. In other words, when a user logs their travel request via this access package, once approved, they’ll be added to the CA-Internals-Travel persona. As a result, they’ll be excluded from the standard unauthorised policy and instead fall under a different Conditional Access policy that allows travel to approved countries.

    UI screen showing a form titled "New access package" with tabs. Resource "CA-Internals-Travel" is set as "Member" in a dropdown.

    For groups managed by PIM, both active and eligible roles will be available.

Step 4: Create the initial request policy

Policies define who can request the package and how approvals work. On the Requests tab:

  • Decide if the package can be requested by:

    • Specific users or groups

    • All members (excluding guests)

    • All users (including guests)

If you’re allowing guest users (via Entra B2B), they’ll be included only if you choose the “All users (including guests)” option.

Next, set your approval settings:

  • You can require approval from a manager, an admin, or skip approval for automatic assignments.

  • Start simple - you can always add more request policies later. Example:

    New access package form with options for user requests, approvals, and stages. Buttons for review and next steps are at the bottom.

    Settings page with options for email notifications and request enabling. Blue toggle buttons, instructional text, and navigation buttons visible.


Step 5: Requestor information

Specify which questions you’d like users to answer when they submit an access package request (e.g., travel dates, destination country, business justification).

Form filling interface for "New access package" with travel questions and answer format options. Checkbox and delete icons present.


Step 6: Lifecycle settings

Define how long the assignment lasts, when it should expire, and whether users need to re-request access.

Settings page for a new access package in an online dashboard. Options include expiration, access reviews, and reviewer selection. Visible text shows dates and review settings.


Step 7: (Optional) configure custom extensions. Note that this feature requires the Microsoft Entra ID Governance subscription

Configuration screen for creating a new access package in Microsoft Entra ID. Text fields for selecting stage and custom extension are shown.

Step 8: Review and create

Double-check all your settings, then hit Create.

Access package configuration summary with sections: Basics, Resource Roles, Requests. Includes fields like Name, Description, Approvers. Create button.

The end user and approver experience with access packages

So far, we’ve looked at how to create and configure access packages. But what does the process actually look like for an end user (like Adele) and the approver (such as her manager)? Let’s walk through it step by step. End user experience (Adele’s point of view)

At this point, you’re already familiar with myaccount.microsoft.com and mysignins.microsoft.com. Access packages can be reached from there.


Security info page on mysignins.microsoft.com. User sidebar with options; 'My Access' highlighted. Methods shown: password, authenticator.

However, the recommended portal for users is: myaccess.microsoft.com


Here’s how Adele would request access to her “Travel” package:

  1. Sign in to myaccess.microsoft.com.

  2. In the left menu, select Access packages (or Browse available access packages).

    My Access dashboard with "Access packages" highlighted. Features an illustration and sections on requesting or approving access packages.

  3. A list of packages available to Adele is displayed.

  4. She finds the “Travel” package and clicks Request.

    Web page showing "Access packages" with tabs for Available, Active, Expired. A highlighted "Request" button, sidebar navigation on the left.

  5. Adele clicks Continue to move forward.

    Dialog box titled "Access Package: Internals Travelling" with options to copy a link or continue. Text details access while traveling.

  6. She’s then prompted with the request form that I configured earlier in Entra:

    • Dates of travel

    • Country she’s travelling to

    • Business justification

  7. Adele fills out the details and clicks Submit request.

    Travel request form for France with dates Sept 16-17, 2025, marked fields, and blue "Submit request" button.

  8. To track progress, Adele can open the Request history blade, which shows all her current and past requests.


Request history page showing a pending approval for "Access Package: Internals Travelling." User sidebar and profile photo visible.


Approver experience (manager’s point of view)

The approver (usually Adele’s manager, or a fallback approver if specified) gets an email notification from: mssecurity-noreply@microsoft.com

That email contains a link to go straight to the approval decision.

Email request to approve or deny access for Adele Vance by 12 Sep 2025. Includes details like justification, dates, and Microsoft branding.

Alternatively, the approver can:

  1. Sign in to myaccess.microsoft.com.

  2. Select the Approvals blade on the left.

    Approval dashboard showing 1 pending request for "Internals Travelling" package. Options to approve or deny. User interface with menu.

  3. Review Adele’s request. At this stage, they can:

    • View full request details

    • Check the package details

    • See any previous approval history

      Approval interface showing "Access request" for Adele Vance with options to approve or deny. Request due by Sep 12, 2025.

  4. The approver chooses Approve or Deny, adds a reason, and clicks Submit.

    Access request form showing details for "Access Package: Internals Travelling," with approval decision and reason input. Submission buttons below.

Once that’s done, Adele’s request status updates immediately.


Approval interface showing request for Adele Vance. Green notification says "Successfully approved Adele Vance." Date: Sep 7, 2025.

Notifications and Tracking

  • End user (Adele):

    • Can always check Request history to see status.

      Dashboard showing "Request history" for access packages. One entry listed with details and a profile picture at top left.

    • Receives email updates when her request is approved, when access is about to expire, and when her access finally ends.

    • Has full visibility into the approval timeline.

      Access request panel showing a request for "Access Package: Internals Travelling" on Sep 7, 2025. Approved and scheduled. Cancel option visible.


  • Approver (Manager):

    • Receives notifications for new requests.

    • Gets updates if any changes are made to a request.

      Email notification from Microsoft Security approving Adele Vance's access. Includes cartoon image and approval details. Neutral tone.

This two-sided flow keeps everything transparent: users know where their request stands, and approvers have a clean, guided workflow for making decisions.



Conclusion

Conditional Access isn’t just about enforcing rules - it’s about finding the balance between strong security and practical usability.

  • Temporary Access Pass solves onboarding and recovery headaches.

  • Identity Governance and Access Packages make exceptions manageable, auditable, and temporary.

By combining these, you get a system that’s scalable, user-friendly, and resilient against real-world messiness.

If you want the full Microsoft reference docs, you’ll find them here:


Stay tuned for more content!



Drop Me a Line, Let Me Know What You Think

Thanks for submitting!

© 2035 by Train of Thoughts. Powered and secured by Wix

bottom of page