This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 82%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
How to create break glass account in M365 tenant? What are the best practices and what all are the prerequisites for the same? I have gone through this document but its bit not clear as I created account and its still required MFA but as per this document we should not use Azure AD MFA and we should use different form of authentication which is outside the M365 tenant or may be third party solution. https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access Can anyone help here and make this clear?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.
Hi, you need to exclude the BreakGlass from MFA. That is required in case MFA is somehow broken or the other Admins in your tenant do not have access to their devices. Excluding from MFA means authentication is by password only, so secure the credentials and ensure they are complex so it cant be easily guessed. If you are monitoring signins, be sure to monitor and report any usage by this account as well.
Thanks for answering on this @Andy David - MVP . Could you please share the steps to create as I have gone through this document shared but I am not able to make that account MFA free. What role or privilege's are required to make that happen? As I can see when I try to remove that user from company wide group it says you don't have enough privileges'
Hi, use an existing Global Admin Account and follow these steps:
https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access#how-to-create-an-emergency-access-account
Then exclude this new account from your conditional access policy under users in the policy that enforces MFA:
Add the breakglass account here
Thanks for reply @Andy David - MVP I will check this and let you know.
I tried removing that account from all the CA policies but still its asking for MFA registration while login in. Can you guide me on this? @Andy David - MVP
If the MFA registration policy is set to all users, you will need to exclude that account from it as well: https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy#policy-configuration
Hi @Andy David - MVP , I have made the changes as per above shared docs but still its not working as expected. What else is missing or need to make changes? Can you help me on this?
How long did you wait? What do the Azure sign in logs show for the break glass account? Is there a conditional access policy enforcing MFA or per user? You can't exclude MFA if using the Azure Security Defaults
I wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
@Andy David - MVP I have excluded this account from all CA policies plus MFA is not enabled on this account. The solution which I got from MS engineer is that I should complete the MFA registration process first and then it will not ask for any MFA when I am trying to signing in next time.
