![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 48%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
25,161 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Hello @JLaw,
Thank you for posting your query on Microsoft Q&A.
It is recommended that at least one emergency access / break-glass account should be excluded from all Conditional Access policies.
Yes, it is recommended to exclude at least one emergency access or break-glass account from all Conditional Access policies. This helps prevent a tenant lockout scenario. In real-world cases, excluding such an account ensures access even if Conditional Access policies are misconfigured.
With the latest mandatory MFA enforcement, even emergency/break-glass accounts will require an MFA prompt when signing into Azure, Entra, and Intune portals. These accounts must be registered with strong authentication methods, such as passkey (FIDO2) or configure certificate-based authentication for MFA.
How does this work now that break-glass accounts are in scope for mandatory MFA?
Yes, all accounts accessing Azure, Entra, or Intune portals must undergo MFA when the enforcement begins. This includes break-glass or emergency access accounts.
How is mandatory MFA implemented / enforced by Microsoft?
This MFA enforcement is applied at the client application level and is not tied to Conditional Access policies. The enforcement comes directly from the client application itself.
If MFA is enforced outside what's configurable in the Azure portal, presumably this means that as long as a break-glass account has two or more sign-in methods registered, MFA will still work, and it can be excluded from any CA policies as MFA is enforced separately by Microsoft?
Yes, you can still exclude emergency accounts from Conditional Access policies. However, MFA will still be enforced for Azure, Entra, and Intune portal sign-ins. It's always recommended to exclude emergency accounts from Conditional Access policies to ensure continued access if there's an issue with block policies. The mandatory MFA enforcement will apply only to sign-ins from these specific portals when the enforcement begins.
Below is a list of applications where mandatory MFA will be enforced in phases.
I hope this information is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Thanks,
Raja Pothuraju.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 15%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 24%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)