What Role is required to configure One-time Bypass in AAD MFA?

Question

I seem to having trouble finding documentation on what the minimal role required is for an account to configure the One-Time Bypass option in Azure MFA (OneTimeBypassBlade in AAD_IAM). It appeared from https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference that the Authentication Policy Administrator role would provide access, but in testing we found this did not work. So rather than hunt for days/flip role eligibility on and off, I thought it might be worth asking.

Answer 1

Currently, one-time bypass is only available for MFA server, and it is not available for Azure MFA. Our Product Group intends to add this feature to Cloud MFA. However, there is no ETA yet.

For the MFA Server one-time bypass you need an account with admin rights for the computer and Domain if applicable. Microsoft also no longer offers MFA Server for new deployments.

If you have fulfilled the prerequisites and it is still not working, feel free to send me an email with the details of your setup and scenario (will leave my email in a private comment).

Answer 2

If you went to Users > Authentication methods >Add authentication method, you can then do a Temporary Access Pass or TAP. We dont but we found that adding the mobile option instead suited us as a one time bypass. Once the user was in we get them (as admins) to add their correct MFA in.

We did this because CA was set to block outside connections.

I had to PIM to Privileged Authentication Administrator.

Im still new to Azure but that seems to me like a one time bypass.