Identifies the creation of a Temporary Access Pass (TAP) for a Microsoft Entra ID (Azure AD) user account. TAPs are time-limited, passwordless credentials that can bypass MFA, enabling unauthorized access if issued by an attacker with elevated privileges. The rule analyzes Azure AD audit logs for TAP-related events and correlates potential abuse with subsequent sign-in activity and method registrations to detect privilege abuse and attempts at persistence. Primary detection looks for: (1) "User registered security info" with a result_reason of "User registered temporary access pass method", (2) "Create Temporary Access Pass method for user", or (3) "Admin registered security info" where modified properties reference a TemporaryAccessPass. The query requires a successful event outcome and focuses on events within logs-azure.auditlogs-* to flag likely adversarial TAP issuance and use. The rule maps to MITRE ATT&CK techniques such as Cloud Accounts (T1078.004) under Initial Access and Use Alternate Authentication Material (T1550) under Lateral Movement, indicating both credential abuse and potential lateral movement using TAP. It also provides an investigation framework, triage steps, false positives, and remediation guidance to help incident responders validate and contain potential TAP abuse.