[GH-ISSUE #2564] [Feature Request]: Ability to add an exclusion group for TAP passcodes #1296

New issue

Closed

opened 2026-03-02 13:43:04 +03:00 by kerem · 2 comments

kerem commented 2026-03-02 13:43:04 +03:00

Owner

Copy link

Originally created by @SGeeves on GitHub (Jun 18, 2024).
Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/2564

Since temporary access passcodes are becoming and extremely useful thing. When enabling the temporary access passcodes, this by default is enabling this for all users, which includes Global Administrators. As an MSP, we like to be able to use the audit log to see who did what when if needed, however the TAP policy enables the creation of the passcode on these admin accounts and then they can sign in as a global admin... defeating the object, and then not being able to easily track.

We have a group created where these high level admin role accounts sit currently so they can be excluded, but currently this is a manual process to head into the Temporary Access Pass settings, and add in an Exclusion on each tenant.

It would be great if there was an ability to add this exclusion within CIPP when being pushed out as a standard.

I am a sponsor under: FutureITNZ

PowerShell commands you would normally use to achieve above request

No response

Originally created by @SGeeves on GitHub (Jun 18, 2024). Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/2564 Since temporary access passcodes are becoming and extremely useful thing. When enabling the temporary access passcodes, this by default is enabling this for all users, which includes Global Administrators. As an MSP, we like to be able to use the audit log to see who did what when if needed, however the TAP policy enables the creation of the passcode on these admin accounts and then they can sign in as a global admin... defeating the object, and then not being able to easily track. We have a group created where these high level admin role accounts sit currently so they can be excluded, but currently this is a manual process to head into the Temporary Access Pass settings, and add in an Exclusion on each tenant. It would be great if there was an ability to add this exclusion within CIPP when being pushed out as a standard. I am a sponsor under: FutureITNZ ### PowerShell commands you would normally use to achieve above request _No response_

kerem 2026-03-02 13:43:04 +03:00

• closed this issue
• added the
  enhancement
  no-priority
  labels

kerem commented 2026-03-02 13:43:05 +03:00

Author

Owner

Copy link

@KelvinTegelaar commented on GitHub (Jun 20, 2024):

I think its a better plan to track when this happens and attack the problem, not a symptom:

• Disable access to your current GAs for your team
• Setup a CIPP alert for changes admin passwords
• Setup a CIPP alert for created TAP for admins
• use CIPPs JIT access instead.

Policy seems more sensible here than the feature, so for now, no :)

<!-- gh-comment-id:2181715092 --> @KelvinTegelaar commented on GitHub (Jun 20, 2024): I think its a better plan to track when this happens and attack the problem, not a symptom: - Disable access to your current GAs for your team - Setup a CIPP alert for changes admin passwords - Setup a CIPP alert for created TAP for admins - use CIPPs JIT access instead. Policy seems more sensible here than the feature, so for now, no :)

kerem commented 2026-03-02 13:43:05 +03:00

Author

Owner

Copy link

@SGeeves commented on GitHub (Jun 20, 2024):

Appreciate the comment @KelvinTegelaar , no worries, fully understand your perspective.
We have already set an exclusion group manually, which CIPP doesn't overwrite as long as TAP is enabled. So we'll stick with that for now then :)
Our stance is to stop it happening rather than re-actively action.

Keep up the good work though, loving CIPP and the responsiveness on features and bugs!

<!-- gh-comment-id:2181746152 --> @SGeeves commented on GitHub (Jun 20, 2024): Appreciate the comment @KelvinTegelaar , no worries, fully understand your perspective. We have already set an exclusion group manually, which CIPP doesn't overwrite as long as TAP is enabled. So we'll stick with that for now then :) Our stance is to stop it happening rather than re-actively action. Keep up the good work though, loving CIPP and the responsiveness on features and bugs!

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

docs

dev

dependabot/npm_and_yarn/dev/uiw/react-json-view-2.0.0-alpha.42

dependabot/npm_and_yarn/dev/tanstack/react-query-persist-client-5.96.2

dependabot/npm_and_yarn/dev/mui-tiptap-1.30.0

dependabot/npm_and_yarn/dev/tanstack/react-query-devtools-5.96.2

dependabot/npm_and_yarn/dev/recharts-3.8.1

dependabot/github_actions/dev/actions/setup-node-6.4.0

copilot/add-alert-for-report-only-ca

release/beta

release/nightly

docs-maintenance

v10.4.0

v10.3.0

v10.2.0

v10.1.0

v10.0.0

v8.8.0

v8.7.0

v8.6.0

v8.5.0

v8.4.0

v8.3.0

v8.2.0

v8.1.0

v8.0.0

v7.5.0

v7.4.0

v7.3.0

v7.2.0

v7.1.0

v7.0.1

v6.4.0

v6.3.0

v6.2.0

v6.1.0

v6.0.0

v5.9.0

v5.8.5

v5.8.0

v5.7.0

v5.6.0

v5.5.0

v5.4.0

v5.3.0

v5.2.0

v5.1.0

v5.0.0

v4.9.0

v4.8.0

v4.7.0

v.4.6.0

v4.5.0

v4.4.0

v4.3.0

v4.2.0

v4.1.0

v4.0.0

v3.8.0

v3.7.0

v3.6.0

v3.5.0

v3.4.0

v3.3.0

v3.2.0

v3.1.0

v3.0.0

v2.20.0

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.0

v2.13.0

v2.12.0

v2.11.2

v2.1.11.0

v.2.10.0

v2.9.0

v2.8.0

v2.7.0

v2.6.0

v2.5.5

v2.5.0

v2.4.0

v.2.3.0

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.1

2.0.0

v1.5.1

v1.5.0

v1.4.3

v1.4.2

v1.4.0

v1.3.0

v1.2.1

v1.2.0

1.1.0

release

Labels

Clear labels   

API

  

Feature

  

NotABug

  

NotABug

  

Planned

  

Sponsor Priority

  

Sponsor Priority

  

bug

  

documentation

  

duplicate

  

enhancement

  

needs more info

  

no-activity

  

no-priority

  

not-assigned

  

pull-request

Mirrored from GitHub Pull Request

  

react-conversion

  

react-conversion

  

roadmap

  

security

  

stale

  

unconfirmed-by-user

  

unconfirmed-by-user

  

wontfix

No labels

API

Feature

NotABug

NotABug

Planned

Sponsor Priority

Sponsor Priority

bug

documentation

duplicate

enhancement

needs more info

no-activity

no-priority

not-assigned

pull-request

react-conversion

react-conversion

roadmap

security

stale

unconfirmed-by-user

unconfirmed-by-user

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/CIPP#1296

No description provided.