Hi, you need to exclude the BreakGlass from MFA. That is required in case MFA is somehow broken or the other Admins in your tenant do not have access to their devices. Excluding from MFA means authentication is by password only, so secure the credentials and ensure they are complex so it cant be easily guessed. If you are monitoring signins, be sure to monitor and report any usage by this account as well.
How to create break glass account in M365 tenant? What are the best practices and what all are the prerequisites for the same?
How to create break glass account in M365 tenant? What are the best practices and what all are the prerequisites for the same? I have gone through this document but its bit not clear as I created account and its still required MFA but as per this document we should not use Azure AD MFA and we should use different form of authentication which is outside the M365 tenant or may be third party solution. https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access Can anyone help here and make this clear?
2 answers
Sort by: Most helpful
-
-
Andy David - MVP 145.6K Reputation points MVP
2023-04-13T11:19:23.62+00:00 Hi, use an existing Global Admin Account and follow these steps: https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access#how-to-create-an-emergency-access-account Then exclude this new account from your conditional access policy under users in the policy that enforces MFA: Add the breakglass account here