What Role is required to configure One-time Bypass in AAD MFA?

Alex Ryan 21 Reputation points
2021-09-08T21:42:55.56+00:00

I seem to having trouble finding documentation on what the minimal role required is for an account to configure the One-Time Bypass option in Azure MFA (OneTimeBypassBlade in AAD_IAM). It appeared from https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference that the Authentication Policy Administrator role would provide access, but in testing we found this did not work. So rather than hunt for days/flip role eligibility on and off, I thought it might be worth asking.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,061 questions
0 comments No comments
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 35,461 Reputation points Microsoft Employee
    2021-09-08T23:11:55.16+00:00

    Currently, one-time bypass is only available for MFA server, and it is not available for Azure MFA. Our Product Group intends to add this feature to Cloud MFA. However, there is no ETA yet.

    For the MFA Server one-time bypass you need an account with admin rights for the computer and Domain if applicable. Microsoft also no longer offers MFA Server for new deployments.

    If you have fulfilled the prerequisites and it is still not working, feel free to send me an email with the details of your setup and scenario (will leave my email in a private comment).


1 additional answer

Sort by: Most helpful
  1. USNOOZEYULOSEY 1 Reputation point
    2022-04-22T01:51:03.407+00:00

    If you went to Users > Authentication methods >Add authentication method, you can then do a Temporary Access Pass or TAP. We dont but we found that adding the mobile option instead suited us as a one time bypass. Once the user was in we get them (as admins) to add their correct MFA in.

    We did this because CA was set to block outside connections.

    I had to PIM to Privileged Authentication Administrator.

    Im still new to Azure but that seems to me like a one time bypass.

    0 comments No comments