I seem to having trouble finding documentation on what the minimal role required is for an account to configure the One-Time Bypass option in Azure MFA (OneTimeBypassBlade in AAD_IAM). It appeared from https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference that the Authentication Policy Administrator role would provide access, but in testing we found this did not work. So rather than hunt for days/flip role eligibility on and off, I thought it might be worth asking.