The one-time-bypass feature is only available for Azure MFA with server/sdk implementations.
We use Azure MFA in a cloud-only setup. We don't have any server/sdk running. We would like to use the one-time-bypass feature.
How is this not already possible? In the real world, people do forget their phones/landlines go down etc. There should be a way for admins to enable a 2/4/8/24 hour one time bypass for individual users, without requiring users to setup MFA from scratch again.
This is yet another case of Microsoft making something new but not commiting to feature parity, and honestly I am getting sick of it. Using an exclusion group isn't good enough as there is room for human error of NOT removing the user after a period of time. This is requiring us to spend real money on a development resource to making something that adds users to the group and removes them shortly after while also purging any manual users who are put in not via the tool. This sucks, Microsoft get on your game. You want people to use Cloud MFA then make it fully featured, it's been years already.
David Oderberg commented
Why not have an MFA exclusion group so that if MFA is down, Microsoft flips a switch and everyone in this group does not require MFA. That would have solved the issue yesterday. Also, how about a one-click temporary pause of requiring MFA, and give support the ability to do this on call-in to support.
This is unbelievable, we trusted Microsoft and they are failing us. There is an outage in MFA service and we can't even give one time bypass to our users.
How difficult would be the giving one free ticket a user? This is way overdue, this is way behind of any competitor.
Please implement this.
In case there's an outage at Azure/Office365 like today nobody is able to login so production time is lost. Being able to bypass mfa temporarily would solve this for the time being.
This would be a great addition
Dan Hurst commented
Why don't you just create a Conditional MFA exclusion group so that your Help Desk can move users into and out of the exclusion group as needed. We are finding we also need a JIT CA MFA exclusion group to accommodate CA MFA registration for field users.
This is exactly our predicament as well. We need the Azure MFA in cloud to be able to temporarily disable an MFA for a user, WITHOUT deleting their device association. Our third party MFA application can be toggled on or off, but since we need Azure MFA to plug the basic authentication hole, we're screwed when a user forgets or loses their phone and needs to work, which the only work around is to totally disable MFA for a user, and then set it all up all over again. Way to go MS.....
Johan Schmidt commented
I thought that upgrading to EMS on all of our accounts would enable the possibility to use One-Time pass but NO. Another thing not so thought thru by MSFT. Rolling out 2000 MFA users in O365 right now. How do Microsoft think about supporting them?
Kev Maitland commented
Agreed - this is very poorly explained, and is a ballache once you've paid for P1 or EM+S licenses and still can't use the functionality. How do people manage /without/ this?
Alex Strupler commented
This Feature is really needed and more than time to be implemented. As you are hopefully going to implement this - it is important that it will be possible to configure One-Time Bypass for 24 hours for a User! (this is real-life scenario - as most times needed, the user forgot his Mobile Device at home and next possible Two-factor Login will be only next working day!
This is a big problem for implementing Azure MFA at our company and some of our clients. Is there a roadmap available for this feature or is Microsoft planning to build this feature in 2018?