Entra ID - Authentication Methods > Policies Access

Question

Entra ID - Authentication Methods > Policies Access

Zane Donaldson 20

I am attempting to use the Temporary Access Pass but get an error saying the UserCredentialPolicy does not allow it.

When I navigate to Entra ID > Authentication Methods > Policies I get an access error: You don't have access to this data.

I have the role of Privileged Authentication Administrator which seems like it should be sufficient for changing the policies but it's not working.

What am I missing?

Rahul Jindal 11,511 Reputation points

2025-12-10T17:38:37.0466667+00:00

Have you enabled TAP for the users in question? I wrote a blog post covering the steps. https://rahuljindalmyit.blogspot.com/2022/04/using-temporary-access-pass-in-azure-ad.html
Zane Donaldson 20 Reputation points

2025-12-10T17:42:11.59+00:00

Have you enabled TAP for the users in question?

that's specifically what I was trying to do, enable TAP. I figured out I was missing a role called Authentication Policy Administrator
Rukmini 10,505 Reputation points Microsoft External Staff Moderator

2025-12-10T17:50:49.3333333+00:00
Hey Zane Donaldson! It looks like you're experiencing some challenges with using the Temporary Access Pass (TAP) due to an access error related to the UserCredentialPolicy and your current roles.

Here are a few things you might consider checking or doing:

Role Confirmation: Ensure that you actually have the Authentication Policy Administrator role in addition to your Privileged Authentication Administrator role. The errors you're encountering suggest that the required permissions for managing TAP policies may not be fully in place.

Policy Verification: Familiarize yourself with any Managed Conditional Access (CA) policies deployed in your environment, as these settings may impact how TAP works. Microsoft has some managed policies that can’t be edited or removed, so it's worth checking to see if any are affecting your access.

TAP Configuration: Make sure that TAP has been enabled for the intended users. To do this, please follow the appropriate process or check with someone who has the necessary permissions to set this up correctly.

Access and Permissions: Since you're getting an "access error" when attempting to view the policy settings, you might want to verify if your organization has set additional custom permissions that may restrict your access despite having the correct roles.

It seems like you were on the right track with recognizing the need for the Authentication Policy Administrator role. If you find that you're missing any roles, you will need to get that addressed with your admin or through your organization's internal processes.

Follow-Up Questions:

Can you double-check if you have both the Privileged Authentication Administrator and Authentication Policy Administrator roles assigned?

Have you or any other admin verified if any specific Conditional Access policies are affecting the TAP usage in your environment?

Is it possible to get in touch with your IT admin to provide you with the necessary permissions, or to enable TAP for the users in question?

Hope this helps you troubleshoot the access issue with TAP!

References:

Managed CA policy for Microsoft associated Entra ID tenants

Configure and manage Microsoft Entra authentication with Azure SQL

Troubleshoot Microsoft Entra authentication

Multifactor authentication for Microsoft Entra ID

Microsoft Entra authentication and authorization error codes

Answer accepted by question author

0 additional answers

Your answer

Rahul Jindal 11,511 Reputation points

2025-12-10T17:38:37.0466667+00:00

Have you enabled TAP for the users in question? I wrote a blog post covering the steps. https://rahuljindalmyit.blogspot.com/2022/04/using-temporary-access-pass-in-azure-ad.html
Zane Donaldson 20 Reputation points

2025-12-10T17:42:11.59+00:00

Have you enabled TAP for the users in question?

that's specifically what I was trying to do, enable TAP. I figured out I was missing a role called Authentication Policy Administrator

Answer 1

It seems that you are encountering two issues: the error related to the UserCredentialPolicy and access restrictions when trying to view the Authentication Methods policies.

UserCredentialPolicy Error: The error indicating that the UserCredentialPolicy does not allow the use of Temporary Access Pass (TAP) suggests that the user you are trying to sign in with may not be in scope for TAP use in the Authentication methods policy. Ensure that the user is included in the policy that allows TAP usage. You can check this by navigating to the Authentication methods policy settings and verifying the users and groups included.
Access Error: Regarding the access error when navigating to Entra ID > Authentication Methods > Policies, the Privileged Authentication Administrator role may not provide sufficient permissions to manage these policies. You need to have the Authentication Policy Administrator role to update the TAP Authentication methods policy. Ensure that you have the correct role assigned to your account to manage these settings.

To resolve these issues, confirm that:

The user is included in the TAP policy.
You have the Authentication Policy Administrator role assigned to your account.

If you continue to face issues, consider reaching out to your organization's administrator for further assistance.

Share via

Entra ID - Authentication Methods > Policies Access

0 additional answers

Your answer