When preparing a Windows 10 / 11 device for a user we often have to sign in with their Microsoft Entra ID (previously called Azure ID) to set everything up. If the user is not available to enter their Microsoft 365 (Entra ID) password and authorise login via MFA, admins can use the Temporary Access Pass feature to login as a user bypassing the password.

This works fine for joining the device to Microsoft Intra ID or configuring desktop and web apps (Teams, Outlook, etc.), but it doesn’t help with the initial login to a Windows device itself.

To log in to a Windows device using the user’s Microsft 365 email and temporary access pass, we have to enable WebSignIn. This is normally done via Microsoft Intune, however, I recently had to do this for a small business in Oxford and the organisation in question wasn’t using Intune. In that case, you can temporarily enable WebSignIn by making a small registry change on the PC locally.

• Login to the device using any local administrator account.
• Open Registry Editor (regedit.exe)
• Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Authentication
  ^{Create the “Authentication” key if it doesn’t exist.}
• Inside the Authentication key create a new DWORD type entry with the name EnableWebSignIn and a value of 1.

• Reboot shouldn’t be necessary. Log out and you should see WebSignIn icon under the Sign-in options.

September 2024
Oxford, Oxfordshire