TAP CODE PROCESS to change MFA method/or phone number.
Temporary Access Pass
A TAP is used to verify your Vodafone identity when setting up the MS Authenticator MFA app [JV1] [BV2] from a device which is not managed or 'trusted' by Vodafone. For example, a new mobile phone which is not yet registered with the Vodafone Intune Company Portal.
To register the Authenticator app on a new or replacement mobile device you need to perform MFA verify your identity - Without access to the Authenticator app on your old device you cannot do this. Therefore, you will need to request a Temporary Access Pass [TAP].
Standard use case (Trusted Device). Maps to use case A[JV3] [BV4]
Users can request a TAP code through this link: Request Temporary Access Pass[JV5] [BV6] . This link is also available through Tobi [JV7] [BV8] | Authenticator MFA | Option 3.
The request requires line manager approval (automated email approval mechanism using MS Azure `Access Package` which and results in an email containing the TAP code being mailed to both user and Line manager.
Once the user has been issued the TAP, he /she can install MS Authenticator on their new device and register their Vodafone account in the app.
From their PC, they should open My Sign-Ins | Security Info | Microsoft.com; entering their Vodafone email address and using the TAP code as the MFA password. Once logged in, click on ‘Add Method’ to start the registration process.[JV9] [BV10]
Standard use case (Un-trusted Device). Maps to use case B
Users on non-Vodafone managed devices (un-trusted device) will have no access to any Vodafone systems without MFA. This means users cannot initiate this TAP request from Tobi or the TAP request portal. This requires two additional steps:
-
Line Manager MS Forms to allow their report to the Request TAP Access Package from an untrusted device: Enable a direct report to use the Temporary Access Pass request form (untrusted device) (office.com)[GIV11] [BV12]
-
The user will then be able to log into TAP Access Package from any untrusted device: My Access (microsoft.com) with only their Vodafone email and password. The use will only be able access this one Vodafone link until they have requested and used their TAP.
Lost /Stolen & Broken Phone
- User Instructions
User goes to https://myaccess.microsoft.com from any client device, authenticating with their Vodafone email address and password only. They should then submit a request for a Temporary Access Pass [TAP]:
Upon submission the manager receives and email requesting approval:
After approving, both will receive the user's TAP code by email.
Please read the instructions contained in the email carefully.
Most importantly:
Please do not forward this mail under any circumstances.[RV13]
Once the TAP code has been communicated to the user by mail, they should open Edge and go to:
https://mysignins.microsoft.com/security-info
Instead of the usual password or MFA challenge, after the user enters their Vodafone email, they will be asked to enter their TAP code
Once logged in, they should click ‘Add Method’ to start the Authenticator app registration:
The user can register their Vodafone account again within the Authenticator app on their replacement /alternate device. They can re-commence the registration guide from step 4 on page 1.
- Line Manager (& user) Instructions
If a user on a non-Vodafone /un-trusted device us unable to use MS Authenticator to verify their Vodafone identity for any reason, they will be unable to log into any Vodafone service or application.
They will need to make contact with you, the Line Manager, straight away (ideally by phone).
To initiate their recovery process, you will need complete this MS Form, which requires that you enter the user’s email address and click ‘Submit’. (Only use this form for this exact use case & this form will only work if you are marked as the user’s Line Manager).
After you have submitted this Form, you should direct the user to https://myaccess.microsoft.com from any client device, authenticating with their Vodafone email address and password only.
They should then submit a request for a Temporary Access Pass [TAP]: 
Upon submission the manager receives and email requesting approval:
After approving, both will receive the user's TAP code by email.
Please read the instructions contained in the email carefully.
Most importantly:
Please do not forward this mail under any circumstances.
You may have to provide the TAP code to the user yourself, as they may not have access to their Vodafone email.
Once the TAP code had been communicated to the user, they should open Edge and go to:
https://mysignins.microsoft.com/security-info
Instead of the usual password or MFA challenge, after the user enters their Vodafone email, they will be asked to enter their TAP code.
Once logged in, they should click ‘Add Method’ to start the Authenticator app registration:
The user can register their Vodafone account again within the Authenticator app on their replacement /alternate device. They can re-commence the registration guide from step 4 on page 1.
Please note: If the old mobile device was lost or stolen, the user should delete the old device as a ‘method’ from within their MFA profile page.
... from a device which is not managed or 'trusted' by Vodafone. For example, a new mobile phone which is not yet registered with the Vodafone Intune Company Portal. [JV1] [JV1]
... working remotely? Presumably a user in the office on a trusted device connect their VIC laptop/desktop to the WLAN/LAN to perform MFA registration via MySign-Ins [JV3]
Use case: User working in the office or remotely on a VIC or compliant device and have issue to update their MFA profile [BV4]
Just to confirm, so this page is available from a VIC without MFA always? [JV5]
yes - you don't even need a TAP to access this page from a VIC or compliant device or trusted network [BV6]
Perhaps a silly questions, but won't Tobi require MFA at this stage? [JV7]
Tobi not require MFA as far as i know [BV8]
I think worth adding two methods; MS Authenticator app and Mobile Phone for SMS to avoid future "unhappy paths" [JV9]
the form is now published [BV12]
Can 'Do not forward' be enforced via AIP? [RV13]