[Feature Request]: Ability to add an exclusion group for TAP passcodes

[SGeeves]

Since temporary access passcodes are becoming and extremely useful thing. When enabling the temporary access passcodes, this by default is enabling this for all users, which includes Global Administrators. As an MSP, we like to be able to use the audit log to see who did what when if needed, however the TAP policy enables the creation of the passcode on these admin accounts and then they can sign in as a global admin... defeating the object, and then not being able to easily track.

We have a group created where these high level admin role accounts sit currently so they can be excluded, but currently this is a manual process to head into the Temporary Access Pass settings, and add in an Exclusion on each tenant.

It would be great if there was an ability to add this exclusion within CIPP when being pushed out as a standard.

I am a sponsor under: FutureITNZ

PowerShell commands you would normally use to achieve above request

No response

[KelvinTegelaar]

I think its a better plan to track when this happens and attack the problem, not a symptom:

• Disable access to your current GAs for your team
• Setup a CIPP alert for changes admin passwords
• Setup a CIPP alert for created TAP for admins
• use CIPPs JIT access instead.

Policy seems more sensible here than the feature, so for now, no :)

[SGeeves]

Appreciate the comment @KelvinTegelaar , no worries, fully understand your perspective. We have already set an exclusion group manually, which CIPP doesn't overwrite as long as TAP is enabled. So we'll stick with that for now then :) Our stance is to stop it happening rather than re-actively action.

Keep up the good work though, loving CIPP and the responsiveness on features and bugs!