Why Proper Identity Management and Role-Based Access Tools Are Critical for Modern MSPs
In many managed service provider (MSP) circles, a common pain point is managing remote access to client devices—particularly when trying to scale standardized login processes using Microsoft 365 (M365) identities. It’s understandable: integrating Entra ID (formerly Azure AD) with endpoint logins and tools like Autopilot can greatly streamline provisioning and administration.
But there’s a disturbing trend emerging: using Temporary Access Pass (TAP) as a shortcut for technician access to user accounts. While it may seem like a convenient workaround, this is a blatant violation of both Microsoft’s licensing terms and core cybersecurity principles.
Let’s dissect what’s wrong with this practice—and how to fix it the right way.
What’s the Issue with TAP Abuse?
TAP is designed to allow users to regain access to their accounts, particularly in cases of lost credentials or MFA device resets. It’s a user-centric recovery mechanism—not a technician backdoor.
Yet some MSPs are using TAP to:
- Sign in to a user’s profile
- Bypass proper access control
- Avoid paying for additional Intune licensing or configuration overhead
Here’s why that’s a problem:
License Violation:
Microsoft explicitly states that only licensed users may perform interactive sign-ins. A technician signing in using TAP-generated credentials violates this clause.
Credential Sharing Risk:
Even if TAP is used for just a short-term login, it’s still a form of credential sharing, which contradicts every major cybersecurity framework (e.g., NIST, CIS, ISO 27001).
Audit & Compliance Liability:
Shared or misused credentials create gaps in accountability. In the event of a breach or audit, there’s no clear attribution of actions on the device.
Direct from Microsoft: Why It’s a Violation
Here are explicit Microsoft policies that are being violated:
Microsoft Product Terms (Online Services Terms, Section “User SL Requirements”)
“A User SL is required for each user who accesses the Online Service, directly or indirectly.”
— Microsoft Licensing Terms
If a technician is logging in to a user account, they are indirectly accessing the service using that user’s credentials—without their own license. That’s non-compliant.
Microsoft Licensing Guide for Azure AD Premium
“Each user must have an appropriate license when using features such as Conditional Access, PIM, and TAP.”
— Microsoft Entra Licensing Guide
Technicians using TAP for access must have their own assigned license and be accessing their own account. Using TAP to sign in to another account violates this guidance.
Cybersecurity Frameworks: Credential Sharing = Compliance Failure
NIST SP 800-53 Rev. 5 (AC-2, AC-6)
“The organization prohibits shared accounts for individual user access.”
“Access must be uniquely assigned to individuals and tracked.”
CIS Controls v8 (Control 5.2)
“Use unique credentials for all individual users. Do not use shared or generic accounts.”
ISO/IEC 27001:2022 (A.5.15, A.8.2.3)
“Access rights should be assigned per individual and based on their roles.”
“User access provisioning must prevent unauthorized use, including shared credentials.”
Using TAP to impersonate a user—even with good intentions—violates these standards. It destroys audit trails, bypasses accountability, and increases risk surface dramatically.
“But I Have To…” – No, You Don’t
For those saying “but I have to,” it’s time to re-evaluate your stance.
There is no valid reason to sign in as the user without the user sitting there, virtually or physically. If the issue is truly specific to the user—which is rare—then involve them. Let them log in while you’re present, and observe the issue collaboratively.
If they’re not available, your access should be through a privileged support identity—not by impersonating them.
There’s a Better Way: Use PAM and RBAC Tools Properly
If your MSP needs to access machines without user intervention, the right solution is to use tools designed for that purpose. A Privileged Account Management (PAM) tool like TechIDManager can allow you to:
- Grant time-limited access to endpoints
- Track which technician accessed which device and when
- Stay compliant with Microsoft licensing and security best practices
For example, TechIDManager allows you to dynamically provision local admin accounts that are tied to technician identities, with full logging and expiration controls.
Yes, this often requires buying proper licenses (like Intune or Entra P1), but the cost is a small price to pay for security, compliance, and peace of mind.
If you’re relying on TAP to access end-user sessions, it’s time to stop. It may seem convenient, but in reality it opens you-and your clients-to audit failures, licensing violations, and worse. Instead, invest in a legitimate identity and access management strategy that aligns with both Microsoft’s terms and cybersecurity best practices.
In the long run, you’ll save time, reduce risk, and gain trust from your clients.
Remember: shortcuts in security are always longer paths to regret.
