question

AlexRyan-8725 avatar image
0 Votes"
AlexRyan-8725 asked USNOOZEYULOOSEY-9159 edited

What Role is required to configure One-time Bypass in AAD MFA?

I seem to having trouble finding documentation on what the minimal role required is for an account to configure the One-Time Bypass option in Azure MFA (OneTimeBypassBlade in AAD_IAM). It appeared from https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference that the Authentication Policy Administrator role would provide access, but in testing we found this did not work. So rather than hunt for days/flip role eligibility on and off, I thought it might be worth asking.

azure-ad-authentication
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered USNOOZEYULOOSEY-9159 commented

Currently, one-time bypass is only available for MFA server, and it is not available for Azure MFA. Our Product Group intends to add this feature to Cloud MFA. However, there is no ETA yet.

For the MFA Server one-time bypass you need an account with admin rights for the computer and Domain if applicable. Microsoft also no longer offers MFA Server for new deployments.

If you have fulfilled the prerequisites and it is still not working, feel free to send me an email with the details of your setup and scenario (will leave my email in a private comment).

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hey all,

Has there been any progress on this? I could have benefited on a few occasions having this feature due to our Conditional Access policies.

Thank you

0 Votes 0 ·
USNOOZEYULOOSEY-9159 avatar image
0 Votes"
USNOOZEYULOOSEY-9159 answered USNOOZEYULOOSEY-9159 edited

If you went to Users > Authentication methods >Add authentication method, you can then do a Temporary Access Pass or TAP. We dont but we found that adding the mobile option instead suited us as a one time bypass. Once the user was in we get them (as admins) to add their correct MFA in.

We did this because CA was set to block outside connections.

I had to PIM to Privileged Authentication Administrator.

Im still new to Azure but that seems to me like a one time bypass.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.